We have a folder named Hosting
Inside of that we have around 10 websites that are all wordpress and 1 that's ASP.NET. Each one has its own folder, own pool identity, and each folder has its pool identity in the permissions for full control.
One of the wordpress sites got hacked, and all the website folders including the ASP.NET one have random PHP files that are doing mail spam.
What are we doing wrong? I thought the pool identity feature limits each website to its own and not to access other websites. Right now it is impossible to tell which site is getting hacked (we deleted all the virus php files, changed all the passwords, and they appeared 3 days later)