Fixing the problem
First and foremost, always keep your WordPress install up-to-date! Updating could not be any easier. Simply click on the alert that appears at the top of your Dashboard and follow the instructions. It takes literally 10 seconds.
Next, change the admin WordPress user’s password. Also change your MySQL user’s password.
Lastly, find the files that have been inserted by the exploit via upload.php. I have found two separate instances of these files, both located in the wp-includes folder. Check the permissions of each of the files in wp-includes and investigate any file that has 777 permission (that’s your first clue that something is wrong). class-rss.php and feed-atom2.php are two files that I have seen cause issues. Cleverly named files. These two files are not native to the WordPress codebase and can be safely removed. If you were to open either of these files and know a bit of PHP, you’ll see that these files are certainly the culprit. Read Full Article