wp-pass.php – wp-register.php hack vulnerability?

My site has been hacked twice in the past month. HostGator informed me of this problem. In trying to work through this, I was given some info by a support person at WPMUDev (the creators of a number of plugins I use) on my multisite.

I can’t understand his responses and he seems not to understand my actual questions, so I’m hoping for a second opinion and or a different perspective so that I can work through this.

The support person said that two files in my install (wp-pass.php and wp-register.php) are old files that were “injected into [my] WordPress installation” and “are causing a security breach with unauthorized signups.”

He said that they do not exist in current WordPress installs (I am using the current version of WordPress, but they are still there) but that I can’t just delete them because “the perpetrators will just turn around and replace them getting past the current version of WordPress.”

Instead, he said that I need to set the permissions of those two files to 0 “so they cannot be overwritten and are rendered absolutely useless.”

(1) I followed his advice and the site was again hacked this week.

(2) If removed files can be replaced by someone else, then someone else has access to my root file. How does changing permissions on two files help if someone can create files in my root folder?