I have like 50 wordpress sites setup on my VPS. I can't update all of them to the latest wordpress every week or so. Every other week, some files get uploaded to the websites, files which are used to send spam mails from my server. When I go try to find the apache access logs, all are overwritten because the file has been accessed thousands of times, and it only shows the IPs accessing the site, but the logs of how the file got uploaded gets overwritten. My FTP credentials are secure, no unusual activities in the FTP logs.
How do you tackle spams like these? Am running a cpanel VPS, and have limited every account's email per hour limit to 20.
With the popularity of wordpress, am regretting using it in the first place. Should have made a custom cms which no one knows about.