Most of us who owns wordpress site will, at certain point of time, experience a hack. I will not cover the basics of such hack or basic common techniques used to remove them.
One of the technique I been using recently that would well, is to enable the debug mode.
The following code, inserted in your wp-config.php file, will log all errors, notices, and warnings to a file called debug.log in the wp-content directory. It will also hide the errors so they do not interrupt page generation.
// Enable WP_DEBUG mode
define( 'WP_DEBUG', true );
// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG_LOG', true );
// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );
// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', true );
By simply enabling the debug mode, you be able to catch an error ‘headers already sent’, which also points to the file that the code are injected.
Warning: Cannot modify header information - headers already sent by (output started at /some/file.php:12) in /some/file.php on line 23
Since most code are injected on top of your files, you be able to catch the error sent out just by enabling the debug mode.