To those of you who have been hacked, the answer has been repeated over and over in these forums: The hacker is gaining access to your WP installation through your FTP on your desktop.
And your WordPress blog is being hacked because you have a trojan hiding on your PC. You are wasting your time securing or upgrading your WP installation if you do not find and delete the trojan and/or malware on your PC first.
Changing your passwords and upgrading WP is useless if your PC is still infected with a trojan. I can almost guarantee the hacker has hidden a PHP shell script somewhere on your servers outside of your WP install. To find it you must either run a virus scan on your entire server (or ask your host to run one) or you can manually eyeball the dates inside every single folder on your server (inside and outside of WP) to see which file was updated recently or to find filenames that you know you didn’t create.
Once you remove the PHP shell file(s), you must scan your hard drive for trojans/malware. Once your HD is clean you can then change your passwords and upgrade your WP install or simply overwrite your files with clean files. I would suggest using several different anti-virus/anti-malware programs to find the trojan. Malwarebytes is a good start.
