Before I begin... all of the sites I'm about to mention are 2.9.1 - very few plugins, but all plugins are up-to-date as well.
So here is my plight...
On January 2 I found that one of my web sites had been hacked. In this particular hack - the title of my web site had been hacked and changed. Here is the damage that was done with that attack:
Title of web site changed to say "Hacked by DAVA_Cybernetica"
In the tagline - placed a link to fasthacker.us
Reset the admin password
Okay... pissed off and all - I obliterated the whole site. The WP installation was removed - new 2.9.1 installed. New passwords for the admin account, and new mysql db name and password. I imported the XML file that had my posts in it (only after verifying that nothing suspicous was inserted into it... that took a while).
So the site goes back live two days later. Then this week two of my sites get hacked by the same group. This time instead of changing the information listed above - they inserted a file in the root of my web directory called LC.html - which was a "Your site has been hacked..." file. Same group again.
This time - both sites obliterated - all passwords changed - no plugins running. I checked with my host - they have had no reports of hacking. They are usually very good about responding to stuff like this when it happens, so I do trust their information.
If you Google the group - it's an Indonesian Defacing group, and you can see several sites across the net who have fallen victim to this group. Sadly no real knowledge of how they are getting in...
First question - has anyone heard/dealt with this group before?
Second question - what suggestions can you give for preventing future attacks. I have seen the "Hardening WordPress" Codex file and have done most of it (that is applicable).
Any suggestions would be very helpful and appreciated!
Thanks for your time,