I’m not currently a WordPress user, but I can tell you that your web host has been intruded like many, many others. You should contact your hosting company. You need to remove the offending item from your source file and re-do everything.
It happened to me (I’m with web-mania.com) and all my index.htm and home.htm files were infected, both with something very similar to the script you describe and with an extraneous <form> entry. I also had an infection in my cgi-bin directory which I had to remove manually. I was able to clear all the rest by uploading fresh copies of all infected files from my local backup, but that may not be much help to you?
Note that you can submit the script to https://wepawet.iseclab.org/index.php and it will ‘de-obfuscate’ it for you – then you’ll see where 8addition came from!
Hope this helps
