The "b5dde2" part of the url is in all 1,000 injected links

Wordfence is a plugin, it is only as good as its environment and version. My first guess would be that you have plugins that have not been kept up to date or even an old theme that has not been updated on the site. It is critically important to use as few plugins as possible and to keep them all 100% up to date - and to keep all themes (even inactive themes) up to date. Plugins have access to your core files so they can overwrite your htaccess file. You want to be certain that ONLY plugins from wp.org are installed on your sites. An old theme, even a default WP theme is vulnerable to exploits and your access logs can show you what is taking advantage of the vulnerabilities.

Take a list of your plugins (and versions) to the WP Vulnerabilities Database site and verify that you do not have any that are known to be weak. You can also verify your theme and version there. You can find a link to the wpvulndb site in the Charter: [webmasterworld.com...]

Thanks. A great reply. Never even heard of wpscan
Submmitted to them.

It is always about write permissions. To update WordPress and plugins one needs to enable write permissions which I never thought was a good idea. Or perhaps you have enabled write just for an update and forgot to reset afterwards.

You've been hacked. What not2easy said is spot on. The Wordfence notices give a clue that you're running outdated plugins. That may be the vector used for the hacking.

If none of the plugin versions that match yours has a vulnerability then check your themes.

WP Vulnerabilities Database site seem to want me to install wpscan on my server.
My host does not have wpscan installed,
What's the easiest way to check my plugins?

Go to the installed plugins interface of the Admin panel. Copy and paste a list of your installed plugins to a text file, then visit the site and look up each plugin. They are listed there alphabetically and by date or you can use their search.

You do not need to install anything to check your plugins unless you just want to.

Easy way:
Google the name of each plugin with the version number and the word vulnerability, like this:

Redux WordPress plugin 4.1.24 vulnerability

Take note that if you have version 4.1.0 and the vulnerability affects 4.1.24, you're plugin is probably vulnerable because vulnerabilities usually affect all versions UP TO whatever version it was discovered in.

Got that?
;)

Roger Montti

I just visited again (haven't been there for a while) - and I see that the old site is redirecting to a new version run by the wpscan people. It has the same services as before but the URL is different from last year, now at https://wpscan.com/plugins - but I still see this as much easier than sorting through Google results.

The wpscan database is where all vulnerabilities are listed now, along with the date of first report. It also tells you whether there is a new version that corrected the problem or not. Ignore the front page and use the top menu, where it says "Plugins" or the "Themes" link. You can create an account if you want, but it is not required, it is like a public service, imho. There is a plugin that is causing the URL injection, but this is the fastest way I know to find out from a trusted source just what plugins have what defects.

wpscan changed their site, apparently in order to hide information unless you pay for it.

I don't use them anymore for anything.