So, the site is back to normal. The question is how did this happen? My passwords consist of 12 randomly-generated digits/symbols, I’m using the latest versions of WordPress and various plug ins. It could be that I was just one of the lucky first few to have their WP 2.7 installs compromised. It could also be that the attack came from a hole in one of my plugins.
It appears that only my wp-config.php and index.php files were overwritten. My MySQL database and theme files were unaffected. It wasn’t that hard to recover from this, but it was a bit scary. The majority of my time was spent checking through all of my files to ensure I captured the extent of the damage.
Whatever vulnerability I had, this incident is a good opportunity to take stock of ways to minimize the chance of this happening.
1. Spend some time learning about hardening your WordPress installation. One thing I learned after this incident is that anyone can peek into my plugins folder.
2. Backup. Backup. Backup. Not just your WP files, but also your MySQL database.
3. Keep up to date with the latest plugins and WordPress version.
4. Make sure your file and directory permissions are correct.
5. Choose good, long passwords. Use a manager like 1Password so you don’t have to remember what they are.
6. If you have multiple WordPress installs (or Drupal, Joomla, etc.), ensure those sites are up-to-date as well. For instance, I had two Drupal installs and two other WordPress installs in the same public directory on my host. My Drupal installations were not up to date. This could be a vulnerability.
I’m not going to rehash all of the WordPress security tips and tricks here. It’s exhaustively documented. Start with the WordPress Codex. Learn a bit about the .htaccess file. Learn a bit about file permissions. I’ve linked to some of the more interesting documentation I came across. Hope it helps.
Site hack recap
Troy Kitch
@troykitch