A few weeks ago all the index.php and index.html files for 9 sites I maintain were swapped for a hacked pages. I quickly replaced these and changed all the passwords: FTP, wordpress accounts and Database.
Godaddy my host confirmed only the index pages had been changed (I think weakpoint was an old wordpress site a client had not updated for a while and gave entry to the server?).
Having had a flood of odd traffic the past few weeks prior to this I installed 'Block Bad Queries (BBQ)' and 'Limit Login Attempts' plugins. Also godaddy applied a recent update to the hosting server. 2 weeks I thought I was in the clear...
But today I noticed the google ads I have on one of the site displayed the usual 4 words but last one was 'viagra' the website http://www.barbicanwaterfront.com is a community site setup to help people in the area. I did a search everywhere and the word Viagra does not appear.
However on google it reports 2 pages where it appears the word had been injected into some text on news posts (again these all look clear now)
After looking about I've ran a barrage of tests using plugins
Sucuri Security - SiteCheck Malware Scanner (and their website)
WebsiteDefender WordPress Security
WP Security Scan
(also using godaddys daily site scanner)
All have come back with no malware or file changes. I did have base64 in 4 files BUT on downloading fresh copies from wordpress.com (one is jetpacks file) I found the code in there already so it was not inserted.
I have the server error logs and more running last 2 days but not sure what to look for to help see if something is going on.
Question is, is this Viagra thing a one off and after installing exploit blocker and other things I've mentioned (including godaddy server upgrade and wordpress latest release) it won't happen again?
On saying that google have the site listed as "This site may be compromised." but webmaster tools saying it's clean (could my excessive scanning e.t.c on server today caused that) :(
Can anyone help?