I manage a WordPress site for a client that is hosted on a Linux server. Recently I was alerted to the fact that a routine scan had found malware on the site. I scrubbed the bad files from the site and patted myself on the back. Then later, when I went back to check on the site, I found that new malware modules had mysteriously found their way back onto my site.

So digging deeper, I began going through the server logs. Since I completed my initial scrubbing, I noted in the logs three instances where there was a POST to wp-admin/includes/menu.php followed immediately by a second POST to a newly uploaded piece of malware. (The PHP file itself has been sufficiently obfuscated that I don’t know what it does but I know it’s not good.)

Does anybody have an idea what this exploit might be? And any suggestions on how I may combat it? For the record, I am a programmer by trade so I’m not afraid to get into dirty details…