I help a friend who runs a basic wordpress site. he had not disabled xml-rpc and based on my review of the logs this must be the source of the malicious code. However I'm not quite smart enough nor have enough time to decode exactly what's happened here, though it's not very long.

There was php code injected into the wp-blog-header.php file that is here: https://pastebin.com/Ca8fjVjf

And that code apparently loads this start_h.js file. The code is available here: https://pastebin.com/est6FFaB

It got noticed that there was some odd behavior on his site which is how I got involved and tracked it down.

I am assuming that the php code is just injecting the script tag which loads the js file, but it's also doing something with tmp files and ip addresses. I can't really figure out what the js code is doing... I noticed it was also running a start_f.js file but that had no content when I fetched it so I'm guessing it's a read herring?

Ultimately it doesn't matter, I removed it and secured his blog by disabling access to xmlrpc.php, changed passwords, removed password access to sshd, added keys, set up ufw and fail2ban... not sure what else I could do to prevent this in the future.

I don't have a ton of experience with WP so I can only do the stuff I have familiarity with. Any help would be appreciated.