Yes, I found it out today and I have just fixed it!

During the process I found I had another case of SQL injection as two new users (admin level) were added. Besides plugins I suspects the uploads folder might be the most likely place the hacker used because its permission is set to 777 by default — 777 permission for a folder or file means anyone can read, write or execute the file or files in a particular folder. If you do not use WordPress’s built-in feature to upload images, change it to 744 and add these two lines to your wp-config.php file:

define(‘FS_CHMOD_DIR’, (0755 & ~ umask()));
define(‘FS_CHMOD_FILE’, (0644 & ~ umask()));

Another thing I have learned for the wp-config.php file is the fresh security keys you can get at api.wordpress.org/secret-key/1.1/salt/ – BTW, it is the first thing you should do by replacing the old keys with new ones so that the hacker cannot login using a saved cookie on his side.

Note the address is api.wordpress.org/secret-key/1.1/salt, not api.wordpress.org/secret-key/1.1 – the latter only gives you a four-line while the former gives a total of eight lines of keys.

I have done several other things to tighten up the securities for this site which I cannot reveal all. Just search the internet for the measures yourself. Be selective for what themes or plugins you use – they are free for a reason.