Thanks esmi; that’s a ton of code to search through… *sigh*.
…also, checking here I found an unknown user in my WordPress, so deleted it. I reckon they found my db password, created a user, and wrote bad files.
:: shrugs :: Anyway; you think that it’s all I have to do (deleting that user) or is there anything else?
