Wordpress is a very popular target for hackers. They normally get in with holes found in plugins, themes or in wordpress core.
An up-to-date installation (including plugins and themes) is crutial!
Hardening Wordpress is sadly not a part of the standard installation documentation, but they have a guide available in the "codex": http://codex.wordpress.org/Hardening_WordPress
Removing unused plugins and users, setting htpasswd and/or ip-whitelisting in //wp-admin// also should be considered.
The files are usually pretty easy to find because the code style and file-naming does not follow the correct style. The code also usually contain compressed and/or encoded data which makes them stand out.
//Some hacks actually inject code into files that are a part of the installation. Do not remove these. Modify them or replace with originals.//
These commands might come in handy:
# If the hack was recent, check lastly modified files
$ find . -mtime 0
# Some hacks are nice enough to include a comment for when a block starts/ends (ex: //istart)
$ find . -type f -name "*.php" | xargs grep -H "istart"
# Normally files with hacks use base64 encoded data in an attempt to hide code
$ find . -type f -name "*.php" | xargs grep -H "base64_decode"
# Eval-ing of code is usually a sign of something naughty (allthough lots of plugins etc use this)
$ find . -type f -name "*.php" | xargs grep -H "eval("
# Sometimes php files are "hidden" inside the javascript assets folder
$ find wp-includes/js -type f -name "*.php"
Another method would be to use git:
$ cd ~
$ mkdir wordpress-tmp
$ cd wordpress-tmp
$ wget https://wordpress.org/latest.tar.gz
$ tar zxvf latest.tar.gz
$ cd wordpress
$ git init && git add . && git commit -a -m "Initial commit"
$ cd ~/www
$ mv ~/wordpress-tmp/wordpress/.git .
# List all modifications and additions/deletions
$ git status
# Check if there are any suspicious things in there
$ git diff name/of/file
# Revert to original
$ git checkout -- name/of/file
# When you are done, remove .git
$ rm -rf .git
Here are some commonly used file(s):
# Hijacked files:
wp-content/themes/genesis/footer.php
wp-content/themes/twentytwelve/footer.php
wp-content/themes/enfold/footer.php
wp-content/themes/twentyfourteen/footer.php
wp-content/themes/twentythirteen/footer.php
wp-includes/nav-menu.php
# Uploads:
wp-content/themes/bco/phpini.php
wp-content/plugins/press.php
wp-includes/SimplePie/Decode/blog.php
wp-includes/js/tinymce/themes/ajax85.php
wp-content/plugins/types/marketing/general31.php
wp-admin/css/colors/ectoplasm/help.php
wp-content/uploads/03.php.
wp-content/OrIvVFnnhLA.php
wp-content/xhl8dNm.php
wp-content/s2.php
wp-content/s.txt
wp-content/plugins/simple-history/inc/object.php
wp-includes/SimplePie/config.php
wp-includes/js/tinymce/cache.php
wp-includes/js/tinymce/leftpanelsin.php
wp-includes/js/tinymce/themes/modern/menu.php
wp-includes/js/tinymce/langs/footer.php
wp-includes/pomo.php
wp-includes/cache_checkexpress.php
# Common filename patterns:
sed254w5A
_input_1_wp_user.php5