Hi everyone,
I’m posting here to get expert guidance from the community regarding a recent malware issue I faced on my WordPress website.
Over the past few weeks, my site has been hit by multiple malware attacks. The website primarily provides APK-related content, including separate pages optimized for PC users and older Android versions, so security and user trust are extremely important for me.
What I’ve done so far:
Changed all admin, hosting, and database credentials
Removed suspicious users and old usernames
Reinstalled WordPress core files from a clean source
Replaced wp-content selectively and verified wp-config.php
Scanned the site using security tools and hosting malware scans
Submitted a review request in Google Search Console after cleanup
Despite these steps, this is not the first time the site has been compromised, which makes me think the issue might be deeper (server-level, vulnerable plugin/theme, or persistent backdoor).
What I’m looking for:
Best practices to prevent recurring malware infections
How to identify hidden backdoors that survive reinstalls
Recommendations for server hardening (permissions, firewall rules, cron checks)
Whether APK-focused sites are more frequently targeted and how to mitigate that risk
Advice on securing pages targeting PC users and legacy/old Android versions
I’m not looking for shortcuts or unethical solutions—only proper, long-term security practices that comply with web standards and user safety.
Any insights from professionals who’ve handled similar cases would be greatly appreciated.
Thanks in advance for your time and expertise.