Wordpress - The safest CMS and impossible to get hacked? I highly doubt that Why do you think Wordpress has came out with so many updates? There are probably at least tens of thousands of Wordpress sites that get hacked every day and all on various different Web Hosts. I've had two Wordpress sites on two different hosts and a VPS server and had them all get hacked within the same month. Yes mostly a lot of the sites are because they don't update their Wordpress often, and in some cases the Web Host does get hacked too, but that's not any easy task and it's not very common. I used to work for a Web Hosting company and I would take about 10 calls every day with people screaming and complaining that our servers are not secure yet they don't even keep their Wordpress up to date and so I restore a backup have to prove them wrong by showing them vulrabilties in their Wordpress site. However, one time we really did get hacked. Someone somehow got remote access to our main database (which also contained credit card information) and started downloading the table containing all of our customers logins. There was so much information being downloaded due to the amount of customer we have and luckily the servers started getting overloaded and our NOC team discoverred the download in progress and purged it. But with what they were able to download they started doing a mass insertion of malicious scripts to accounts causing hundreds of calls to be in queue. That then triggered us to do a mass password reset and even more calls coming in. I guess it's good that some people don't check their website too often. Or that they never downloaded the database table with all of our customers credit card information. Anyways, I wouldn't jump to that conclusion.
^^ That is why I mentioned with proper permissions and combination of plugins. 99% of the hacks are either due to server issues from the hosting end where the server or some portion gets hacked, or due to running age old Wordpress versions and for not updating wordpress, or due to using all xyz plugins without checking the reliability and security of the plugins. I doubt a regularly updated wordpress without any plugins installed and on a well maintained and hardened dedicated to get hacked easily. That is why Wordpress brings out updates so frequently so that they can remain ahead of hackers instead.
Look into your folders which could be different from others. One folder where this malicious might be is on the "UPLOAD" folder, also it is best to check your .htaccess files, down at the bottom it might look like this: DELETE this and continue to look for this codes in files and folders, compare the files with Wordpress, sometimes replacing this files by over-writing could do the trick too. Good luck!
none of the above works as well as restricting access to WP admin, ftp, ssh, cpanel, etc, to only your ip address.
This is always the case with WP - especially if you do not have a good hosting company. You need to create a back up for this kind of issue. regards