I’m having EXACTLY the same problem. The first time, someone had been able to create bogus user accounts. I deleted the accounts and changed my admin password, but since then someone has inserted hundreds of invisible links in my header.php and footer.php
