I was hoping someone could help me out. As of late, a number of my sites have been injected with hidden iframes linking to sites that seem to download viruses onto the visitors computers. The only things that allow uploads are two wordpress installations, that are kept up-to-date, thus I'm assuming are secure enough to now allow something like this.

Its getting frustrating, because I can't have visitors being infected then turning from my sites. I've changed my passwords multiple times, as well as changing them to >15 character alpha-numeric combinations. I can't figure out how someone is inserting text into my files. I'd love some help.

I'm not in-the-know about security by any stretch, but if you post a link I'll try reproducing the attack with a harmless URL and if I get it I'll tell you. For anything better than that, all I can tell you is to search for a security consultant to pay.

Well, part of my goal is to learn web security as well, but... The two URLs where it starts are...

http://mafia.rhovisions.com
http://noeasyanswers.com

From what I read at the second link, you think the attack was server-side, right? I thought you meant it was cross-site scripting (client-side) which was why I dared to try reproducing the attack. If I tried hacking a server (and I'd have to learn how first) without the administrator's permission, I'd probably meet him in court.

So I think all I can tell you at all is to look for a consultant. However, if you really want to learn security you can try OWASP (http://www.owasp.org/index.php/Main_Page).

Two places to start:
1. Have you asked around the Wordpress forums (http://wordpress.org/support/)?
2. Have you talked to your webhost? Hosts are usually pretty interested in preventing hacks on sites they host.

Wordpress had nothing of use, and my host has yet to respond on the issue.

Do you have any idea where the attack occurred? Where did the bad code show up on your pages? Was it saved in a comment / somewhere in the database / in a link?

So I missed that last comment...

The comment is being directly inserted into my pages. There is no problem with the database (not being pulled from the DB).

To be clear: the bad code actually appears in your page's source code?

I'm afraid that's beyond what I could help you with. I still think your best bet is you host's tech support. Good luck.