how to find out who is creating folders?


Well-Known Member
Feb 8, 2016
cPanel Access Level
Root Administrator
Hello Community.

Hope everybody is doing good.
We are currently struggling with one of the customers account that is being hacked on a daily basis now. That drives us crazy.
the customer is using a WordPress CMS and there are few content managers from India that are using it to update content on daily basis.
a week ago the customer has reported a Google Ads has blocked his campaign for numbers of malware virus complaints .

After we have made a scan, we have located many folders and files that have no relation to WordPress.

the customer has hired an expert on fiver to clear out the malware and reinstall all modules on WordPress, we have assisted with changing the passwords on ftp and WordPress securing and hardening everything.

But every day these files popup in the morning like mushrooms )

is there a way how to determine who, or what is generating these folders ?

any advises are welcome
thank you
Last edited by a moderator:


Jurassic Moderator
Staff member
Oct 19, 2014
cPanel Access Level
Root Administrator
Hey there! You mention that you are resetting the password for a user. Have you performed a virus scan on the user's machine(s) with access to that cPanel account? It's possible there could be keylogger software installed that is stealing the password and then using it to log in.

Rachel S

Apr 28, 2022
United States
cPanel Access Level
Website Owner
You can take the following actions to deal with the situation:

To determine who creates folders on the website, you can check the website's server logs. The server logs will contain information about when and where the folders were created.

Once you have access to the logs, look for entries corresponding to when the folders were created. The logs will show the IP address and other identifying information of the user who created the folders.

In cases where the server logs do not provide enough information, you may need to look for other clues to determine who is creating the folders. Some steps you can take include:
  • Look for accounts with administrative access or accounts that were created recently.
  • Review file permissions
  • Set up alerts or notifications for any changes to the website or files
  • Limit access to the website from specific IP addresses or regions.
Implement various security measures to harden the website's security and prevent future attacks.

Remove unnecessary files: Remove any files or folders that have no relation to WordPress or the website. These files may be leftover from a previous hack or an unrelated software installation.

Harden security: Consider implementing additional security measures to prevent future attacks. This may include using a web application firewall (WAF), enabling two-factor authentication (2FA), or limiting access to the site from specific IP addresses.

Monitor the site: Keep a close eye on the website to ensure it remains secure. Set up alerts for any unusual activity, such as failed login attempts or changes to files or content.

I hope these help you to address the hacking issue and prevent it from happening in the future.