CMS insecurity on known infection source!

Re: http://quttera.com/detailed_report/hongkongtango.org 33 malicious files detected.
Google Safebrowsing Blacklisted: https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=hongkongtango.org

Web application details:
Application: WordPress 4.5.2

Web application version:
WordPress version: WordPress 4.5.2
Wordpress version from source: 4.5.2
WordPress theme: -http://www.hongkongtango.org/hk/wp-content/themes/point/
Wordpress internal path: /home/kanbukai/domains/hongkongtango.org/public_html/hk/wp-content/themes/point/index.php

Know javascript malware detected: https://sitecheck.sucuri.net/results/hongkongtango.org
See: 05a806cae94c894c80cba61da070b1b65f843306

 script
     info: [script] wXw.honeywickqa.com/js/jquery.min.php?utt=J18171%26utm=
     info: [decodingLevel=0] found JavaScript
     error: undefined variable document.referrer
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var document.referrer = 1;
          error: line:1: ....^

http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.honeywickqa.com

Re: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.hongkongtango.org%2Fhk%2Four-practica%2F+

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 admin admin
2 None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

polonus (volunteer website security analyst and website error-hunter)

Only ESET detect
https://www.virustotal.com/nb/file/22fb40ede8da284e130b89dc84393aab59b24f23dd43ae793db2181c3e3b25da/analysis/1463848682/

Now, Pondus and others, read here why these CMS issues (misconfigurations, outdated plug-in and other issues) form such a threat and how they can be abused by attackers to be a first stepping stone to a complete website compromittal: https://www.ethicalhacker.net/features/root/hacking-wordpress-with-xss-to-bypass-waf-and-shell-an-internal-box
That is why I always check specificissues shown via a hackertarget.com/wordpress-security-scan/ with this additional DOM/XSS scanner http://www.domxssscanner.com/scan?url= and also check the code against javascript insecurity with an unpacker or establish whether code exceeds certain run-time, which could be an indication to further test for DNS anomalities or server insecurity (DROWn, BEAST, Poodle, SHA1 etc. etc.).

The DOM/XSS Scanner I mentioned is kept by the Google crew, so we see how important Google thinks these scan results can be to help insecurity protection.

polonus (volunteer website security analyst and website error-hunter)