ashley.robjohnsI installed a brand new copy of wordpress on a clean site, with no plug-ins or extras and within 24 hours the site had been compromised with "hacked by ho1onk" in the Site Title and Tagline, the administrator account (it was not admin) had its password and email changed to "hogyzhnc@gmail.com" also. A google search for this seem to suggest it is a rather widespread problem.
All passwords were random 16chars alphanumeric and mixed caps.
My question is by what method can this happen. I am having disagreements with my hosting provider as to how this happened. They suspect the admin username and password were compromised and the site changed manually. I suspect a bot and possibly SQL injection method, but am not yet up to scratch on how this would be done. My argument stems around not being able to set wp-config to 640 permissions (currently 644) as per the hardening wordpress document, thus leaving it open to extract the plain text sql information. My host provider denies this and thinks even with 644 permissions it is impossible to read the wp-config file from the web.
Can anyone explain as to how this might have happened, and whether it is actually possible to extract the contents of the wp-config file if it has world read permission?
ClaytonJames