I'll try to keep this short.
Over the past few years my wordpress site (www.shiftedmatrix.com) has been hacked a few times. Every time it's almost the same thing, that good old base64_decode injection hack that spreads to every index.php file on your server. Since I run a few sites off a single web hosting account, this is really fucking annoying.
The first time it was because I wasn't keeping my wordpress up to date, but after a full reinstall I was clean (for a while.)
Then about a year later it happened again. After a few infections over the course of a few months I eventually tracked it down to an outdated tim-thumb.php file included with my theme. Updating that, cleaning out all extra themes and plugins I wasn't using, I thought I was good.
This summer it's been happening again. Thanks to WordPress Firewall at least I get some warnings now. It first happened in July, then in August, and then again this morning. Each time, WordPress Firewall lets me know that during the night someone is trying to overwrite certian common plugins with a hacked files through plugin-editor.php. It generally lets me know it blocked 4 or 5 attempts, but when actually check the site I've usually been infected. After the July attempt I cracked down with as much security as I could, full .htaccess protection, folder permissions, security plugins, etc, did all I could to prevent it from happening again but with no luck.
After every infection I've been very thorough with my cleanse. If I catch it quick enough it generally only gets into the main index.php file, my theme index.php file, and maybe one more index file in a random wp-admin or wp-includes folder. I know from the first few times if I don't catch it early it can spread into a lot more files. But between a few different exploit scanners, Dreamweaver find/replaces and manual checks, and overwriting system files with a fresh download, I'm sure I get everything when I clean it out.
I'm almost positive it's always coming through my main site, despite having a 4 different sites hosted on the same server. Reason being that 2 of those sites are non-wordpress (one mediawiki and one custom php) and the other site is wordpress but gets no notifications from the firewall. Also, the infections seem to happen after I get a bump in traffic to the main site from posting a link to reddit or something. These other sites do get infected as well, but I'm sure the source of the infection is through my main site.
So, short of making all the system, theme and plugin files read only, what can I do to stop this? It's really fucking annoying to have to waste a couple hours every month cleaning my websites. And as web developer it's rather embarrassing to have this problem and not be able to permanently fix it.