Can't get rid of infected file


Well-Known Member
Sep 6, 2003
cPanel Access Level
Root Administrator
One of our hosting accounts had their website hacked. It's WordPress. I have to assume the developer did not have proper security features installed. I have Configserver's Exploit Scanner installed on this server and it has been constantly flagging index.php as infected. I tried everything I could think of to get rid of the file. But it spontaneously regenerates.

I eventually suspended the account and that stopped all the email alerts from cxs watch. I'd like to get to the bottom of this in case the client still wants to have a website.

Has anyone run into anything similar?

Any recommendations on a person or company who would be expert at dianosing this type of issue?
Last edited by a moderator:


Jurassic Moderator
Staff member
Oct 19, 2014
cPanel Access Level
Root Administrator
Hey there! Your best bet might be to reach out to one of the admins listed here:

While cPanel doesn't recommend anyone in particular, those admins all advertise their familiarity with cPanel tools, and some have the SafeAdmin Certification as well.

If something is recreating the index.php with the compromised code, that would imply there is some script running on that user's account automatically.