Yes, I found it out today and I have just fixed it!
During the process I found I had another case of SQL injection as two new users (admin level) were added. Besides plugins I suspects the uploads folder might be the most likely place the hacker used because its permission is set to 777 by default — 777 permission for a folder or file means anyone can read, write or execute the file or files in a particular folder. If you do not use WordPress’s built-in feature to upload images, change it to 744 and add these two lines to your wp-config.php file:
define(‘FS_CHMOD_DIR’, (0755 & ~ umask()));
define(‘FS_CHMOD_FILE’, (0644 & ~ umask()));
Another thing I have learned for the wp-config.php file is the fresh security keys you can get at api.wordpress.org/secret-key/1.1/salt/ – BTW, it is the first thing you should do by replacing the old keys with new ones so that the hacker cannot login using a saved cookie on his side.
I have done several other things to tighten up the securities for this site which I cannot reveal all. Just search the internet for the measures yourself. Be selective for what themes or plugins you use – they are free for a reason.