A took over an infected WordPress site. I had Sucuri clean the malware. The hosting was a mess. There were three WordPress installs in this hosting account, but only one was the site. It took a while to figure which one was the live site.
While trying to update core I got the following.
The following article helped me shed some light on the situation.
I was going to change the permission, but Sucuri wasn’t finished scrubbing the malware. If I can remember I will post my results.
I hope this helps someone else out there…