Why Malware Keeps Coming Back? (Hidden Cron Job Hack Explained)

Have you ever spent hours cleaning a WordPress hack, feeling that sweet relief… only to find your site re-infected the next day? Or even an hour later? It’s one of the most frustrating things that can happen to a site owner. You clean the files, change your passwords, and still, the malware keeps coming back.

You’re not going crazy. You’re likely dealing with a hidden backdoor that’s automatically regenerating the malware.

This is a common problem, whether you’re on cPanel or a VPS. Hackers are smart. They know you’ll find their infected files, so they plant a second piece of malware. Its only job is to wait for you to clean up, and then re-infect your site all over again.

One of the most common ways they do this is with a malicious cron job.

How Does the Malicious Cron Job Get There?

This is a great question. The cron job is rarely the first step of a hack. A hacker can’t just add a cron job to a server they don’t have access to.

The infection almost always happens in this order:

1. The Initial Break-In: First, the hacker gets into your site. This is almost always through a vulnerability, like an outdated WordPress plugin, a weak password, or an old theme.
2. Uploading a Backdoor: Once inside, their first move is to upload a “webshell” or “backdoor” file. This file might be named something innocent like wp-check.php or hidden inside a folder like /wp-includes/. This webshell is a simple “control panel” that lets the hacker run commands on your server.
3. Creating the Cron Job: The hacker then uses their webshell to send a command to your server to create the cron job. The cron job’s only purpose is to re-download or re-create the malware, including the webshell itself, in case you find it.

So, the cron job is an insurance policy for the hacker. It makes sure that even if you find their initial backdoor, their malware keeps coming back after removal.

What is a Cron Job (and How Do Hackers Abuse It)?

In simple terms, a cron job is just a scheduled task. It’s a normal feature on all web servers (including cPanel) that lets you automate commands. For example, you might have a legitimate cron job that runs a backup script every night at 2 AM.

Hackers abuse this by creating their own hidden cron job. But instead of running a backup, their job does something like this:

• It runs every single minute.
• It checks your website files (like index.php or wp-includes).
• If it sees you’ve removed their malware, it automatically adds it back.

This is why the malware keeps coming back after removal. You are cleaning the symptom (the infected file), but not the cause (the cron job that keeps re-infecting it).

Understanding the Malicious Cron Job Attack

Let’s look at a real-world example. This screenshot from a cPanel account shows exactly how hackers hide their code to keep control of your site.

The command looks like this:

/usr/local/bin/php -r ‘eval(gzinflate(base64_decode(“jVJrb6JAFP3ur2…”)));’

This command is intentionally hidden and runs every minute. Let’s break down the three layers the hacker uses to hide their code:

1. Base64 Encoding: This (base64_decode) is the first layer. It makes the malicious code look like a random, harmless string of text (the “jVJrb6JAFP3ur2…”).
2. Gzip Compression: This (gzinflate) is the second layer. The code is compressed (like a .zip file). This hides it even more and makes it harder for simple security scanners to see what it really does.
3. PHP eval() Execution: This is the final, dangerous step. eval is a command that tells PHP, “Take all that hidden, compressed code, un-hide it, and then run it.”

The “Every Minute” Attack

The * * * * * at the beginning is the schedule. It means “run this command every minute, of every hour, of every day.”

This aggressive timing ensures that even if you find and delete an infected file, the cron job will re-infect it almost immediately. This is the very definition of malware regenerating after removing it.

How to Get Rid of Malware That Keeps Coming Back

Okay, so how do you fix this? You have to find and delete that malicious cron job. The steps are different depending on your hosting.

1. How to Remove the Malware in cPanel

If your host uses cPanel (or a similar control panel like Plesk), this is the easiest way.

1. Log in to your cPanel.
2. Scroll down to the “Advanced” or “Tools” section.
3. Click on the “Cron Jobs” icon.
4. Look at the “Current Cron Jobs” list at the bottom of the page.
5. Look for the malicious job. It will be the one that looks like a random string of characters, eval, base64_decode, or anything else you don’t recognize. A legitimate cron job usually has a clear command, like /home/user/public_html/wp-cron.php.
6. Click the “Delete” button next to that malicious line.

That’s it! You’ve just stopped the re-infector. The malware will no longer keep coming back automatically.

2. How to Remove the Malware on a VPS (Command Line / SSH)

If you run your own server (a VPS, cloud, or dedicated server), you’ll need to use the command line.

1. Connect to your server via SSH.
2. Type crontab -l and press Enter. This will list all the cron jobs for your current user.
3. Look for the same suspicious line (e.g., * * * * * php -r ‘eval…’).
4. If you find it, type crontab -e to edit your cron jobs.
5. This will open a text editor. Use your arrow keys to move the cursor to the malicious line and delete the entire line.
6. Save the file and exit. (In the nano editor, you press Ctrl+O to save, then Enter, then Ctrl+X to exit).

Pro Tip: Hackers sometimes hide the cron job under a different user, like the web server user (www-data or apache). Try running sudo crontab -u www-data -l to check that user’s cron jobs, too.

Important: You’re Not Done Yet!

Deleting the cron job is like turning off the leaky faucet. It stops the problem from getting worse, but you still have to clean up the mess.

Your WordPress malware removal is not complete. The site is still infected, but now it will stay clean when you fix it.

Here are your next steps:

1. Run a Full Malware Scan: Now that the re-infector is gone, use a security plugin like Wordfence or Sucuri to run a full scan. It will find all the files that the cron job created or infected.  For more trusted options, check out detailed guide .
2. Clean the Files: Go through the scanner’s report and clean or delete all the infected files. Now that the cron job is gone, they won’t come back.
3. Change ALL Your Passwords:
   • Your cPanel/hosting password
   • All WordPress admin passwords
   • All FTP passwords
   • Your database password (update this in your wp-config.php file too)
4. Update Everything: Hackers often get in through outdated plugins or themes. Update WordPress core, all your plugins, and all your themes to the latest versions.
5. Harden Your Site: Install a security plugin and follow its recommendations (like enabling a firewall) to prevent this from happening again.

Finding malware that keeps regenerating is a nightmare, but once you know why it’s happening, you can fix it for good. The problem isn’t a “WordPress virus” that’s unkillable; it’s almost always a hidden script, like a cron job, that you just haven’t found yet.

Conclusion

Dealing with WordPress malware that keeps coming back can be scary and frustrating. But the good news is, once you understand the real cause — usually a hidden cron job — you can stop it for good. Always check your cron jobs, remove any suspicious ones, and then clean your site completely.

After that, change all your passwords, update everything, and install a trusted security plugin to protect your site in the future. With a little patience and the right steps, you can make sure your website stays safe, clean, and secure.

If you ever want expert help, I provide professional malware removal and full security hardening to keep your WordPress site protected for the long run.