Hi, i am not sure how this could have happened, but my wordpress
And this made that some of my plugins do not work anymore, and that some weird block is shown on my page. This is some kind of hacking: how could this have happened?
I have this on all my wordpress-blogs (two), is my password somehow compromised? I can easily delete those lines, but how do I make sure it does not happen again?
asked Jun 11 '11 at 04:46
You have indeed been compromised somehow.
If you'd like us to take a closer look at what happened, could you open a support ticket?
answered Jun 11 '11 at 04:52
David L ♦♦
My websites were also compromised in the same manner. Read this article. I guess it will help you. http://www.dixis.com/?p=511
answered Jul 04 '11 at 06:17
I've since made sure I upgrade wordpress when new security patches are released. As well, I remove write access to the files in the entire tree. So when I update I have to specifically change permissions to allow write access, run the upgrade and change the permissions back.
I'm going on the assumption that this wasn't a compromised password, but that the scripts that make it easy to upgrade WP are accessible to anybody and somebody found a loop hole that didn't require authentication. I hope they're not able to execute generic system commands, and all evidence is that this has not happened, and my sites haven't been hacked since.
The way WP is setup on Webfaction (and perhaps elsewhere, heck maybe this is the WP default?) puts the entire directory tree accessible to the web browser. But the wp-includes folder should probably be moved someplace else - as it is, you can ask for and run scripts in the wp-includes folder of your WP site.
Of course, moving the wp-includes folder out of the document tree means that you won't be able to run the update quite as automatically.
answered Nov 10 '11 at 14:54