Support » Fixing WordPress » My WP 2.0 Installation has been Hacked

  • I upgraded to the latest version of WP last week. It went well.

    Yesterday I was editing my site and got locked out – I had to reset my password.

    Half an hour later, it happened again. I thought it was really strange. I was doing a bunch of rapid edits very close together and I thought maybe it was some new security feature, that WP was locking me out. I meant to cruise through the codex to find out, but didn’t have time.

    Later that evening, my latest password still worked so I forgot about it.

    Around 7:40 last night, my domain was running a Bank of America phishing site out of my images directory, which is where my WP installation is set to upload files.

    My host, The Planet, suspended my site when they realized what was going on. My host won’t un-suspend my site until they think I’ve made my WordPress installation secure again.

    With a new pwd from my host, I was able to FTP in and delete a bunch of malicious PHP scripts from my images dir, but I’m not sure how my WP installation was compromised in the first place. No one else uses it but me, and I always edit it from behind a firewall and I can’t think of any way my password could have been intercepted. (I’m an engineer at an ISP, btw.)

    I desperately need comments, advice, links to security articles, etc.

    Any advice would be deeply appreciated.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Oh, and I’ve read, of course. I’m just looking for further discussion and advice. Thanks.

    One of the things you could do is include a .htaccess in your upload file that tells Apache not to execute PHP:

    AddType text/plain .php

    This would prevent anybody from uploading a PHP script to your uploads directory and wreaking havoc.

    Good idea. Thanks!

    Mark (podz)


    Support Maven

    It could have been a script from elsewhere on your server.
    It could have been a poor password.
    It could have been a poor ftp password.

    Both my WP and FTP passwords were more than 6 characters long, with upper and lowercase letters, numerics, and special characters.

    I’d installed several plugins… I’ve been wondering if they had anything to do with it.

    The host *says* nothing else on the box was compromised, but they seem to be looking into increasing security in general.

    Now they’re saying my domain wasn’t the only one compromised on the box, so the intrusion didn’t necessarily come in through my domain.

    They have said though that my FTP password wasn’t sniffed.

    And most of my content seems to still be there, which is nice.

    We are having allot of issues with wordpress being hacked with BOA phishing sites and so forth.

    We have a pretty aggresive mod_sec rulesheet and they are still coming in, a good 10 or so a day.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘My WP 2.0 Installation has been Hacked’ is closed to new replies.