Recurrent Malware Problem at Ionos Hosting Provider

Description of the Problem:
Repeated malware attacks are affecting multiple WordPress sites hosted on the same FTP space with the Ionos hosting provider. These attacks involve unauthorized modifications to files, particularly wp-config.php, and the addition of suspicious PHP files at the root and in various folders. The hosting provider's response has been to modify file access rights, which has not definitively resolved the problem.

Examples of Undesirable Modifications:

Insertion of suspicious lines in wp-config.php (example: $rs5 = "/kunden/.../.edbfcdf9.ccss";@include_once /* q5 */ ($rs5);)
Addition of PHP files such as index.php, options.php, themes.php, wp-login.php in various folders (.local, .wp-cli), with content similar to that found in wp-config.php
Current Countermeasure Measures:

SSH Script for Resetting: Execution of a script to remove and reinstall the wp-admin and wp-includes folders, deletion of PHP files (except wp-config.php), and readjustment of permissions.
Manual Cleaning of wp-config.php: Manual removal of lines added by the malware in wp-config.php.
Specific Request to the Security Expert:
In SSH: #!/bin/bash

# Remove specific folders and files
rm -rf wp-admin wp-includes && find . -maxdepth 1 -type f -name "*.php" ! -name "wp-config.php" -exec rm -f {} \;

# Download WordPress core without content
wp core download --skip-content --force

# Remove wp-config-sample.php file
rm wp-config-sample.php

# Change permissions of folders and files
find . -type d -exec chmod 755 {} \; &
find . -type f -exec chmod 644 {} \; &

In-Depth Analysis: Examine attack vectors, server logs, plugins, themes, and security configurations.
Root Solution: Propose a comprehensive strategy to eliminate the malware and prevent future attacks.
Deep Expertise: Advanced understanding of WordPress hosting environments and specific challenges related to Ionos is required.
Additional Context for the Expert:

Attack History: Several attempts at resolution by different developers have not been successful. The Ionos hosting provider has taken measures, but the problem persists.
Impact on the Sites
Here is the translation of the text in English:

Here is my space and the WordPress folders. Most of the sites are not infected, but they are sometimes attacked by another site that is contaminated:


fannysbeauty
kolia
nextcocoon
storelyst
storelyst/maisonezinris
storelyst/merchant/ecoleducoiffeur
storelyst/merchant/flawlaceparis
storelyst/merchant/orahparis
storelyst/merchant/-sneakersandgo
storelyst/merchant/vianacosmetiques
storelyst/merchant/cubanohair
storelyst/merchant/orahparisacademy
storelyst/merchant/stellayato
storelyst/merchant/dreamvirginhair
storelyst/merchant/jardindepaix
storelyst/merchant/nkmacademy
storelyst/merchant/stellayatoacademy
storelyst/merchant/dulcebolosso
storelyst/merchant/fannysbeauty
storelyst/merchant/lambertbeauty
storelyst/merchant/nkminstitut
storelyst/merchant/secureacademy
storelyst/merchant/testeur
storelyst/pay
libotta
samlyhair
stylebyep
vanessahayes
boya
dacry
sbdrteam
demo
jardindepaix
orahparis
therlandeglow
edsar
jardindepaix-old
lollaparis
orahparis-
slayandslim
thevenuse
yolandahair
elleryse
kellyhair
mbcoiffure
slimeaa
tmstudio
fannyparis
klesis
misterclim
queenhair
stellayato
trinity