So I ran my first scan on a client's site using the Exploit Scanner plugin and found malicious files in the uploads directory (which was actually named something else and was in the root, so was not in the wp-content directory). There was a new directory in there named "quarantine" with a handful of files named just strings of letters. I went through the files and checked permissions, all directories are 755 and files are 644, except the uploads directory. The only reason we even caught the hack was because we tried to Update to 3.5 and it broke everything, most core files weren't overwritten so it was incomplete (we uploaded fresh files) but I don't know if the 2 are connected.
I'm wondering how this can happen though, how does someone upload files like this to a website? Would this be the reason we couldn't Update WP, or are the 2 unrelated? How can I prevent someone from doing this again?
I ran through the Hardening WordPress page several times and already use most of the suggestions on that page. I block wp-config in htaccess, prevent file editing from the admin in wp-config, and I always check permissions on files. I install plugins that help detect corrupt files, such as Wordfence for instance, but that only alerts you to the fact that there's a problem after it happens. Is there anything else I can do to prevent files from being uploaded?