I have a website that is hosted by a company. Some idiot has been hacking it every month. They are uploading PHP scripts to my webroot directory and executing them somehow. I have changed my password, and they still are able to do put these files there. Once they do, they send thousands of requests to these scripts to bring my webserver to a crawl. My web host is now upset with me because it is slowing the server down for their other clients.
I need someone with PHP, Linux, Apache security experience to find out how they are doing this and to make my own PHP scripts more secure.
Be advised that I don't host my own website. I have a company host it for me with Linux, Apache, MySQL, PHP.
Once the security holes are found, I would like to give the PHP scripts to the programmer to look over and change whatever it is that is insecure. These should not be more than 15 files or so.
The only user input I get is a few forms that insert their information into MySQL table.
Linux, PHP, MySQL, Apache