For the last few days there is news of attacks on sites that are based on PHP as is WordPress, and today I can give some clear directions in this regard, sorry for the delay however.
The first thing to clarify is that is not a massive attack on WordPress but this injection of code affects any web based on PHP and, to this day, the other relevant data is that they also share a server, it is not happening on dedicated servers. In fact, if it were a massive attack on WordPress there would be many more infected sites, given the huge implementation that today (thanks to you) has this CMS.
This makes us think of two possible causes, one sure. The first is that the attacker uses security vulnerabilities of the server on which he is hosted and which he shares with other sites, and the second is that something is allowing the code to be injected into the PHP files of the attacked sites, either a bad plugin designed, a bad security configuration of the CMS used. However I bet on the first option because the Zettapetta has infected static sites where there were a couple of loose PHP files and, as I said, if it were something special for WordPress we would all be infected, or almost, and it is not.
This case is special, because there is even a video in which the supposed cause explains how to inject code into shared servers of Networks Solutions without having to steal usernames and / or passwords!
Fortunately there is a solution.  The attackers are infecting the webs with a script that tries to inject malicious software into the "client" sites and, in addition, prevents the anti-malware mechanics that modern browsers such as Firefox and Safari can detect.
script affects any shared server and attacks have already been verified in several top-tier hosting providers, such as Mediatemple.
And what does the Zettapetta ] this one of the noses is to add a lot of base64 code at the beginning of all the PHP files that will be found on the server, recursively. Come on, if it enters your WordPress it infects all the files 'core', those of the plugins, the themes, everything, up to the wp-config.php and the index.php usually empty.
Once the base64 is decoded, what it contains is this: