First of all let me tell you about my web site rubyslippersbcn.com. I keep the WP version always updated within a few days to latest version.
So now i have 3.51 with Atahualpa theme latest version.
A couple of days ago I noticed some text flashed for a few seconds before my site loaded. Right click; view source and i found this:
<div id="viru39sesl" style="visi ...
[code moderated - please do not post this kind of code in the forum]
So I started looking around for this and came to the conclusion that i was hacked, backdoored and URL injected. backed up my local copy and put it in a usb stick, deleted everything and downloaded the online version to search for strings like:
also stuff like:
This rendered useless as i could not find a hint of what was happening or where or even what to look for.
Finally i decided to erase all non essential plugins, which didnt work.
I changed all my passwords, including DB, users, etc, which didnt fix it either.
Lastly i decided to overwrite my Theme with a freshly downloaded version from wordpress.org
Done! no more viagra links on my website.
So finally i could not find the backdoor, or what had happened and how. All i know it was hidden somewhere in the theme folder. Anyone? any clue? Also I am hosted at goDaddy and it seems that some people with shared hosting had same problems.
In any case, i always keep a backup and DB backup, I fixed it after 10hs of trying stuff, 2 more hours and i would have done complete rollback.