The usual way that these get in is when people upgrade WordPress by simply doing a tar -zxvf wordpress.tar.gz. This replaces files, but often there are many legacy files from older installs that never got deleted.
In my case, the attack was from "/blog/wp-content/themes/default/functions.php", which isn't even a theme in recent WordPress builds; it's simply been left over from the many upgrades over the years.
The other most common route for such injection is not always WordPress itself, but instead through insecure, third-party themes, since theme designers are not always programmers.
One of our clients had their FTP credentials compromised causing a similar effect. It may be a decent idea to check the logs and identify if this was the method of entry.
3 comments
[ 2.5 ms ] story [ 15.1 ms ] threadIn my case, the attack was from "/blog/wp-content/themes/default/functions.php", which isn't even a theme in recent WordPress builds; it's simply been left over from the many upgrades over the years.
The other most common route for such injection is not always WordPress itself, but instead through insecure, third-party themes, since theme designers are not always programmers.