Hi David,
Unfortunately, this is a risk of running anything older than WordPress 2.0.4. There’s a large number of people who have the know-how to wreak havoc on these older blogs at will. You are very lucky to have posts and comments left on your blog. I’ve been sitting on a 7 page post for the last 6 months about this very subject. Your question has convinced me to finally clean it up and hit the publish button. If you want to know some of the things that could have happened, wander over to http://www.thecodecave.com/article249 and take a gander. It’s a bit late now, but maybe someone that hasn’t upgraded yet will wander into this post.
Please use your experience to convince your friends to upgrade. In the future, if you value what you’ve written, you really should upgrade more quickly. WordPress 2.0 came out a year ago. The WordPress 2.0.4+ world is never again going to be as vulnerable as the 1.x world was, but modern releases are going to include security fixes. Even 2.0.6 will have a security fix. Look for that to come out very soon. WordPress 2.1 will be following quickly on its heels.
As for what to do now that the fox was seen leaving the chicken coop, I do have several recommendations.
1. You need to change the password to your database and in your wp-config.php file. This is NOT the password you use when you want to post something. This is the password you put in wp-config.php when you first created your blog. You might never has seen or used that password since that day, but if you were hacked, someone else possibly has. Your webhost may have to help you do that, if you are not familiar with the procedure.
2. You need to change the password you use when you make posts. This should be done AFTER step 1 is completed even if that means changing your admin password twice.
3. Review the list of users on your blog. This should be done on a regular basis. One of the attacks I’ve tested on the older version of WordPress involved ugrading a normal user to an Admin user. You should review your list of users on a regular basis.
4. Look at your file lists and deleted any files that you don’t recognize. Files like CMD.TXT etc. are often placed on websites and used to attack other websites.
5. Set the access rights to the files on your website. Perhaps someone will post their preferred access rights. Some people run a tight ship, others don’t. This is done with telnet access and running the chmod command. I’m not going to make a recommendation at this point. Frankly, I’m not sure I would make the right recommendation for everyone. If you tell your web host that you want to make it so that people can’t upload scripts to your site, they can probably change the rights for you.
6. Make sure you don’t have any strange plugins installed. This is pushing it, but if you know you’ve been safe, it is best to check everything.
7. Evaluate if this attack has made you vulnerable anywhere else. Do you use the same password for your email as you did for your blog? Surely it isn’t the password for your banking site or anything, but are there any other passwords you need to change?
That’s where I’d start. I hope that helps…
The other reason to let your host know, of course, is that this attack may not have come from the WordPress side of things. Quite often small hosting companies have little “oops” mistakes that allow one account to spread a worm into another account. So, without knowing more about the attack, I can’t evaluate where the hole is.
In anycase, as a responsible user, you need to let them know. Besides if the hole is on their side, this will happen again and again and again no matter what version of WordPress you run.
I hope this all works out for you…
Cheers!
