not sure where to post this but I've discovered a niggle problem when you install bulletproof security (for securing wordpress files via htaccess etc - really does a very good job as I'm already seeing on my server! https://wordpress.org/plugins/bulletproof-security/ The Installation process fails giving a PHP fatal error - a require once on path /var/www/mywebsite.com/web/.. that is not on the path when ISPConfig sets up a website. when you go in to the Options tab and add this manually (right after the /var/www/mywebsites.com/web entry) in the php open basedir - and save and restart http - problem solved and the installation proceeds just fine. Package really DOES lock down the folders that seem to be letting the nasties get onto the site - number of infections has plummeted on my server and the only remaining one is a false positive! good job all.