Hey all, it seems this forum is full of "my acct was hacked posts". I seached but didnt find what I was looking for, so I thought i would add to the list. lol My self installed Wordpress acct was hacked. The page loaded up to a nice black and red image stating it was hacked and giving an email address. It was running 2.7 and I just got it restored and upgraded to 2.7.1 and changed the pass. My Cpanel does not appear to be hacked and the other blog that I run on the same domain was not hacked. None the less I would like to add a bit of extra security so this doesn't happen again. I was wondering if there is a way to do this reasonably. I was thinking to perhaps use Cpanel to put a password on the wp-admin page, or chmod something. Of course that means I would have to unchmod the file each time before I added to the blog so that would be a last resort. Anyway, is there some easy way to add an extra security step to prevent being hacked? Or maybe I am so ignorant of how I was hacked I am completely missing the boat here. First time I have ever been hacked, and I am starting to learn. Any pointers or further reading would be helpful. I know you are all busy, so thanks for your time. MAtt
Do you have administration access to the server your wordpress is hosted on? If yes, it's always a good option to have suhosin and/or mod_security installed to prevent most of the php/mysql hacking. The obvious is keeping your wordpress and it's plugins always up-to-date and a strong admin password.
These are the security basics of WordPress http://codex.wordpress.org/Hardening_WordPress However the defacement most likely was not caused by WordPress specific flaws. Anyway, the article talks about file permissions and other common sense paractices.
As ipdedicated stated - Mod_Security is a good start to stop popular attack methods (RFI/LFI,SQL Union Attacks, etc) To further this, use strong passwords for everything, check your other sites on that account/IP for intrusions. In my hay day, I would gain access via a shell much like c99, then esculate my privledges and toy with other sites on that account or box, but I would never touch the account/access point I used to enter in with. Wordpress is pretty good with not having many security flaws, but the 3rd party widgets and etc, I wish I could say the same. It really comes down to taking the time to take a look at the coding structure and inspecting each file as you progress. Good luck!