Hey, thanks for the reply. The support team at my host told me it wasn't a system issue. They cited that 3 of my domains were running WordPress versions not up to date, and the others were up to date. They told me that any versions before x.x.x (I forget which version they quoted, but earlier than 3) were exploitable.
However, the exploit continually takes place about once or twice a week (probably a bot attack) on a domain that IS and HAS BEEN up to date and with which I've implemented htaccess restrictions throughout. Checked all chmod levels ect...
As I stated, I'm not aware of a WordPress exploit that allows manipulation of files. Perhaps I'm wrong, but all WordPress exploits could do is inject payloads in the db right? I'm trying to figure that out. I'm trying to figure out what route this hack is taking to gain access to modify my files and whether or not it could do so without FTP access.
I've looked through the logs. I have found some questionable POST activity coming from China. I've since blocked several IP's. However, if this is a server security issue, I don't think these attacks are going to be in the log files I'm provided with...
I was hoping somebody could confirm or point out their experience with such an exploit and possible methods to prevent it. I've found a few posts about similar hacks, and I've followed the suggested remedies with no avail.
As for the skin, it's custom. I don't use free or premium skins. I have 2 plugins. I will be removing them, as I'm not sure if they are the issue or not either.
I've combed my DB and found nothing suspicious. I'll be migrating it soon with a new prefix (was already a custom prefix) to a fresh install and changing all of the credentials. In theory, if it's not a server issue that should fix it and prevent any future attacks, right?
I could speculate though that if it is a server issue, that it would be more likely that all domains on my server would be attacked. So, I don't really know.