I observed that when trying to access the FTP, the antivirus triggers an alert about the wp-info.php file, which has shown up in every folder of all sites (along with four other files like aindex.php). Initially, I deleted them by hand and changed the FTP password, but it didn't work, the files came back.
Would it be easier to just restore everything from backups or is there a method to track down who's responsible?

I'd like to admit, my first thought is to not jump straight to restoring from backups. While that might fix the immediate problem, it's more of a band-aid solution unless you can track down how the attack happened in the first place. Otherwise, there's a chance the files will just keep coming back after a while.

First off, you mentioned you changed your FTP password – that's good, but it's not always enough. You need to make sure your passwords are strong and unique across all admin accounts, and ideally, you should also be using SFTP instead of regular FTP to prevent any easy interception of your credentials. But there's more to it than just passwords.

Start by scanning your entire site for any malicious code. Tools like Wordfence or Sucuri for WordPress can help identify infected files. However, don't just rely on automatic scans – some malware can be sneaky, hiding itself within legit files. Look for suspicious code snippets, especially in core WordPress files or custom PHP files that shouldn't have been modified. If you find any files you don't recognize, or that look out of place, get rid of them.

Additionally, it's essential to check your database as well. Hackers often leave traces in wp_options or wp_posts tables that allow them to regain access even after you've cleaned everything up. Make sure there's no unauthorized user accounts or unusual settings that might hint at ongoing compromise.

Next step, you might want to check your hosting environment. Ensure your server software (like PHP, Apache/Nginx) and any CMS or plugins you're using are fully up-to-date. If you're on shared hosting, it's possible that another compromised account on the same server is being used to attack your site, so contact your host to see if they can provide any additional security measures or insight.

Finally, after you've cleaned up, consider installing a web application firewall (WAF) and set up regular scans. This can help prevent future attacks by filtering out malicious requests before they reach your site. You could also enable two-factor authentication (2FA) for any logins – it's one more barrier for hackers to break through.

So, to sum it up – yes, restoring from backups could work temporarily, but without addressing the root cause, you'll probably find yourself in the same situation again soon. It's better to go through the steps of cleaning up the site manually and securing everything for the future. That way, you're solving the problem, not just covering it up.

It sounds like your system got compromised through an SQL injection attack. Typically, the WordPress (WP) platform is breached by exploiting vulnerabilities in third-party plugins, which often contain numerous security gaps. Tracking down the attacker is almost impossible since they operate with a high level of anonymity—unless, of course, you're dealing with an inexperienced hacker, like a schoolboy. Your best bet now is to scan for weaknesses in your plugins, and if your WP version is outdated, make sure to update that as well.
By the way, it might also be worth considering to use a web application firewall (WAF) to block such exploits in the future.

A real good case for sql injections, though I'm not even sure it's aware of what a DB actualy is.

Comparing my very first website, built on some trashy constructor, with his HANDMADE HTML creation, I can't help but feel like I'm Bill Gates in web dev.