WP Version 3.0.1 hacked: Someone changed my username and password

I’m at midphase as well. Sounds like we have the same issue.

awhitemage – where in your directory are the “two” files you found?

awhitemage – Can you walk me through how you changed your wp admin username & password back so you could again login? Or, have you not been able to get back in? Thank you.

@awhitemage Thank you. That’s exactly what I was looking for. However, I had two usernames I had created, one apparently was deleted. The remaining one only has partial permissions (Author permissions). Any idea on how to create a new user with full permissions? Or get back the previous user that was deleted? Thanks so much.

Update: For a 2nd time, I restored a pre-hack backup & have made a number of security enhancements. I don’t know if any of these will prevent this from happening again, but thought I’d share. If anyone has further suggestions please let me know.

I added these to my public_html .htaccess:

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# DENY PUBLIC ACCESS TO YOUR php.ini file
<Files php.ini>
order allow,deny
deny from all
</Files>

# DENY PUBLIC ACCESS TO YOUR php5.ini file
<Files php5.ini>
order allow,deny
deny from all
</Files>

# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|�|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ – [F,L]

I found this person who had a similar type of hack. They made several changes. The one I changed was the wp-config.php permission to 400.

I’m working on restricting IP addresses to /wp-admin with .htacess in that folder, but keep getting a “page doesn’t exist” error after attempting to login. I had it working, until I added some of the public_html .htaccess items listed above. I don’t know if one of them is interfering or not.