Cf this :
stackoverflow.com/questions/3328235/how-does-this-giant-regex-work

Basically, you can download your blog’s file to your disk, open notepad++ (highly recommended), use the Search menu, tab “search in folders”, and start searching for strings of text in all files.

Search for preg_replace and note all the results not sounding legit (it’s rather easy to spot, the /e trigger, guys, the /e trigger !)
Search for the hex version of the eval code (cf the link I gave). For hex versions of the end of code too.
Search for base64_ calls, this is SO rarely found in a legit way you will easily make sure.

Protip, I’ve had also a .jpg false file, actually containing code to load. Simple as that, after you downloaded all the blog’s files, search for all image files, copy them to a new folder, and run a batch conversion with a tool like irfanview or xnview : non-real pictures won’t be convertable, open them in a text editor and check.

OMG. WordPress is widespread, and many of it’s users have minimal knowledge of websecurity (like me!) – the tips here and ssh commands provided are so helpful, and so relevant. Thank you. Thank you a thousand times. I don’t know if it solved my problem yet (I have many sites on one ssh user account), but I’m eager to try these out.

For anyone who is having WordPress malware or trojan problems, get an SSH client like PuTTy and try this guys tips.

I’d love to see more replies, I’ll check out the rest of your blog.

I’m leaving my website in the URL, but don’t visit it yet, ’cause I’m still cleaning the backdoor lol!