Security Wordpress on IIS hosted sites.

Since yesterday I,ve got strange things happening on one of my websites.

The index.php of my wordpress site on IIS changed from 1 kb to 80 KB. Also map.xml and sitemap.xml are new in the directory. Some additional files are also found in wp-content/themes or wp-content/includes folers. Like b.php or e.asp.

In the logs I can find a entry that is showing the process I think. POST /wordpress/wordpress/wp-content/plugins/easyrotator-for-wordpress/b.php - 80 or POST /wp-content/themes/koppers12/library/e.asp |26|800a0408|Invalid_character 80

This probably has to do with the fact that my security settings might be to less tightened, however I`m unable to figure out how to tighten security but let the update mechanism for wordpress itself, themes and plugins work.

Currently the rights (iusr) are set to read write for the whole website. If I change it to only read, the whole update mechanism fails due to to less rights

Is there some way to prevent the injection of unwanted files on the website but also be able to update wordpress, themes and plugins?

Might the injection used be a exploit of some plugin, or is it that due to the rights the site get injected with unwanted files ?

(Ive blocked the ip addres which caused this, but that doesn`t help much as this injection method has already been seen on other ip addresses/ranges. )

I followed this guide which works well

https://codex.wordpress.org/Hardening_WordPress

Couple things to keep in mind, if you are letting multiple users upload content to your site, make their own articles they should have a not only a special privilege account in WordPress but a dictated ftp user account on the box. That user should not have any login right.

If it is just one user making changes setup basic auth with a local windows account. When you hit the link to add media or make changes you will be prompted for a username and password.