For a while now, a WordPress site I host has been continually hacked. All the other blogs I host are untouched, it's just the one in top level. I keep fixing it and doing more to harden my installation, but it doesn't seem to stop them - every couple days it's hacked again. The hack is simple and consistent; they add a line like this to my wp-blog-header.php:
Sometimes it ends up elsewhere, most recently jquery.js. It's always taking visitors to some .cc domain.
I've done everything I can to keep the site secure:
- Ultimate Security Checker and Bulletproof Security (hardened .htaccess files) plugins installed and configured
- WP and plugins kept up to date
unused plugins and themes deleted
- FTP password secured with KeePass and stored nowhere else (no program (FileZilla, etc) is allowed to "remember" it).
- WP admin account has no privileges, real admin account under a different user
- file permissions as recommended
Yet every couple days the site is hacked in the same way. What else can I do to stop this? My hunch is that it's a rogue PHP file. I've downloaded my install and done diffs, but I'm wondering if it's hiding in wp-content since it's publicly accessible and is never deleted. Maybe hiding in cache? How can I check for that?