If malware returns after you clean WordPress, stop assuming the problem lives inside WordPress. A new Wordfence case study shows a server-level backdoor can keep re-infecting wp-config.php even after a full site cleanup.
When cleanup fails, the server may be compromised
Wordfence investigated a WordPress site that kept getting redirect malware reinserted into wp-config.php every few hours. The team found no bad plugins, no rogue admin user, and no database injection inside WordPress. They traced the reinfection to the server, where an attacker abused CyberPanel’s SnappyMail logging and turned it into a root-level backdoor, which means the attacker controlled the server itself and could rewrite WordPress files whenever they wanted.
This affects WordPress sites that run on a compromised server with CyberPanel and SnappyMail in the attack path. It matters most for site owners who manage their own VPS or dedicated server, or who use a host that gives them CyberPanel access. If your site sits on standard managed WordPress hosting and you do not use CyberPanel, you are probably not affected by this specific attack chain. You should still pay attention if redirects, spam tabs, or injected code return after repeated cleanups, because that pattern points to a server problem, not a WordPress-only problem.
If your WordPress site runs on CyberPanel, or if malware keeps coming back after cleanup, have your host or server admin audit the server immediately and rebuild it if they confirm compromise, because cleaning WordPress files alone will not remove a root-level backdoor.
End of article