suspicious "sitemap.php" file added to public_html dir

hi,

i wanted to ask if anyone has encountered a situation similar to this and how it was patched/fixed (to prevent future hacks).

i recently experienced anomalous output on some pages on a wp site i manage. a viewer would go to the site, look at some pages and see texts inserted in the actual page text. texts like selling viagra or some other random text/spam (just texts). the number of processes running on the server (shared hosting) would spike, from the regular 1 to 2 over 25, to about 20 to 25 over 25. the site would constantly throw internal server errors. the text are randomly inserted and sometimes a refresh of the same page will make the insertions disappear. some pages viewed in diff browsers/machines will produce one hacked and one normal page.

i have consulted our hosting service but they always say they’ll get back but then give no definite answers or they don’t get back at all.

i also looked at some cross-site scripting or ‘pharma hack’ and other possibilities

so, after looking for evidence or clues myself (database looks clean, the theme pages did not have inserted code etc.) i noticed a “sitemap.php” file in my site’s public_html. i double-checked and, yes, wordpress doesn’t have such a file. i looked at the file and saw code similar to this one:
https://www.leakedin.com/2013/05/01/potential-leak-of-data-obfuscated-php-code-437/

i’d like to know how such files could be uploaded (or written) in the public_html dir. or more important: how such hacks may be prevented, avoided (or minimized?) in the future.

thanks for any help or point to the right direction.