Peldi, something similar to this happened to me for a number of years (I've run my own WP site for 6 years now); every 3 months or so, no matter what I did to lock the site down it would get reinfected with malware.
It got so frustrating that I toyed with just taking the site down permanently a few times because I couldn't handle the maintenance burden psychologically (it was such a downer to be fighting the same fight every few months for 2 years).
BUT, I finally found out what had happened, apparently there are some f-ing ingenious ways people can hide hacks in your WordPress site.
The basic trick boils down to uploading a fake HTML or image file that is actually a PHP script that hides in your server folder and is executed by the running process every few weeks which then infects all the other files (adding in JS headers or footers to every template file).
Another nasty trick is to use the same mis-named file uploaded into your /uploads directly, but to register it as one of your WordPress plugins. So if you search the WP database plugin table for non-PHP extensions you might find a "plugin" registered as "/uploads/2011/06/profile.jpg" when in reality it is a PHP file and not an image that WordPress is executing.
The blog post outlines how to find and remove them, I'd also recommend against running WordPress with permissions that don't allow writing except for the /uploads directory.
This means no more automatic updates inside of WordPress, you'll have to do them yourself (same for plugins) but it also means no more hacks getting through and writing themselves to your DB or file system. They can even upload themselves but then cannot effect the system in anyway because the executing process has no write perms.
It has just been a lot easier for me to run in that fashion and keep everything up to date manually.
It got so frustrating that I toyed with just taking the site down permanently a few times because I couldn't handle the maintenance burden psychologically (it was such a downer to be fighting the same fight every few months for 2 years).
BUT, I finally found out what had happened, apparently there are some f-ing ingenious ways people can hide hacks in your WordPress site.
I outlined all of my steps here: http://www.thebuzzmedia.com/finding-and-removing-hidden-word...
The basic trick boils down to uploading a fake HTML or image file that is actually a PHP script that hides in your server folder and is executed by the running process every few weeks which then infects all the other files (adding in JS headers or footers to every template file).
Another nasty trick is to use the same mis-named file uploaded into your /uploads directly, but to register it as one of your WordPress plugins. So if you search the WP database plugin table for non-PHP extensions you might find a "plugin" registered as "/uploads/2011/06/profile.jpg" when in reality it is a PHP file and not an image that WordPress is executing.
The blog post outlines how to find and remove them, I'd also recommend against running WordPress with permissions that don't allow writing except for the /uploads directory.
This means no more automatic updates inside of WordPress, you'll have to do them yourself (same for plugins) but it also means no more hacks getting through and writing themselves to your DB or file system. They can even upload themselves but then cannot effect the system in anyway because the executing process has no write perms.
It has just been a lot easier for me to run in that fashion and keep everything up to date manually.
Hope that helps!