Thank you for post.
I’m still on that problem on many of my site. It’s about an year that every two or three mounth someone hack my sites ( not only one ) always in the same mode: many lines of encoded code at the top of all php files, always the same code like <?php //$qojtvhdgl = '%x5c%x7825)ufttj… so I use ssh to comment all ( the hack is in only in the first line , and usually I clean complete hacker code only inside plugins directory otherwise my plugins gone disabled .
here my ssh :
cd directoryroot
find ./ -type f -exec sed -i -r 's/php $qojtvhdgl/php //$qojtvhdgl/g' '{}' ;
cd directory plugins
find ./ -type f -exec sed -i -r 's/php //$qojtvhdgl+(.*)+;/php /g' '{}' ;
In this way in a few minutes disappear any front end problem and in any case I can reinstall only plugins. But now I ask me:
Where is the hole? ( in the same server I've other sites not wp without any problem, so I suppouse a wp bug, but I don't use a lot of plugins and often the default, always updated version.
I' ve try to use Wordfence and WpBetterSecurity but nothing.I've updated my plugin and my wp version but nothing. Today I've benn hacked again.