Have you tried deleting the user and transfer all posts/pages and admin privilege to a new user?
Actually that’s a very good idea… I feel like there might be some negative effect of removing privileges from the admin account, but maybe there isn’t…
Does anyone know of a negative effect this might have? OTher than the potential for losing all admin accounts that is…
No. The admin account is just like other user with Administrator privilege.
If you have changed the admin account password then the cookies the hacker has will have already been invalidated as they are in part based on a hash of the password.
If the hacker can still get in it is likely they have either created a second admin account or have uploaded php files to your server which allow them to access the database directly so can regenerate themselves valid cookies.
Westi, thanks for the very useful response.
I’m pretty sure they no longer have any php files of the kind you mention. They were using them like crazy but i’ve diff’ed my way through all the files on the server and none seem out of place.
They were using the admin account but since I changed it’s password have been jumping to various editor accounts (we have >100 accounts :S ) and even to author accounts (where they can only edit the author’s own posts, which is what they are doing).
To me this implies that they are not able to generate new accounts and that they are running out of saved hashes to use.
Would patching my copy of WP to use the new ‘salting’ make a difference? I’m about to just tell all our users to change their passwords, but some are MIA and stuff, so it would probably end up being a huge hassle.
Thanks for any input you can give.
Just a note: We had locked down and cleaned every directory in the system except for /wp-content/ which had to stay writeable for image uploads. The hacker was using a false jpg file full of php code in conjunction with a .htaccess file in the month folder (/uploads/2008/02) that was allowing php execution of jpg files.
So: if you are being hacked and have full server access, disable .htaccess in your /wp-content/ folder and lock everything but /uploads/ down.
They will think of some other way to get at us i’m sure.