Hi Alex,

It’s highly unlikely that it’s a hole in WordPress itself, as there are thousands of people looking for holes in the WordPress Core code. If you’re only running default plugins or no plugins at all, and still having this issue, then I would suspect another PHP file somewhere else on your site (unrelated to WordPress) that an attacker is using to get in. It might also be through a vulnerability in your web host, so you may want to talk to them about that.

Good luck!