The OP's two threads have taken off in entirely different directions...
Are they really so different? Both agree the site has been hacked.
Although the site might have been hacked via a WordPress vulnerability, this type of hack looks fairly generic and similar hacks could happen to any site that has security vulnerabilities.
Interesting that this requires short_open_tags to be enabled on the server.
I did notice that that according to the paths in my log file, only wordpress posts get the readme.php called after they load. Pages or tag pages do not get the call to readme.php.
May be wordpress post URLs are easier to gather? Or may be that was all the hacker reqd? As mentioned, it could be that the external site is requesting both the wordpress post (having gathered the URLs?) and is then requesting readme.php. Or did you find that if YOU requested the wordpress post, YOU also requested readme.php? Must admit I'm struggling with the idea that readme.php could be requested as a result of a wordpress post being requested AND both URLs appear as individual requests in the logs AND nothing strange appears in the page source. However, there could be some kind of server-side redirect(?!) going on which would indicate that some other files have also been compromised.
Check .htaccess for any additional code that might have been added. If other wordpress files have been compromised then "readme.php" might not appear as is; it could be encoded in some way which will make searching difficult.