My site is hosted on HostRocket.com
I discovered, quite by accident, that somehow, someone had gained access to my world writable Uploads directory and uploaded over 42MB of crap... scripts, directories for all sorts of websites like viagra, mortgages, executables, etc... just absolutely shocking.
The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions and is owned by the server.
I don't understand all the complexities involved in security, php scripts, shared hosting etc. But it seems awfully negligent to design a web application like WordPress that leaves directories World Writable. To top it off those directories are owned by the server so the user can't even change the permissions to a more secure state without calling the webhost and having them change ownership of those directories to the user.
I don't understand fully how someone with the knowledge can gain access to world writable directories in a shared hosting environment and upload malicious php code into basically anyones directories, but it has happened to me three times... twice with WordPress and once with PHPwebsite. Pair.com was the host for PHPwebsite and HostRocket was the host for the two hacked WordPress sites.
To thwart this in the future, the tech at hostrocket placed a .htaccess file in the Uploads directory that effectively prevents php scripts from running in that directory. the code he used was...
php_flag engine off
But please tell me why WordPress has worldwriteable directories by default and why there isn't some mechanism to change those permissions easily from within WordPress to help with security?
The tech at my webhost says he sees this sort of thing happening ALL THE TIME.
Any input on this folks?