Yes, I let my WordPress installation rot. And it’s entirely my fault.
Wordpress makes it so easy to keep it up to date now that there is no
excuse, so I do accept full responsibility! I’m lucky in the fact that
all the hacker
did was rewrite my .htaccess file to redirect visitors to a malware
After examining the WordPress database, it appeared that it hadn’t been
changed by the attacker, so I went about installing a new copy of
Wordpress. It went pretty smooth, and for right now I’m going for a
minimum amount of
plugins and keeping the design pretty basic. As I was restoring, I
began to think of what the hacker might of had access to and what I
needed to do to protect myself.
I don’t know if the attacker had access to the filesystem or could
only append lines onto the .htaccess file. Why is this important?
Your MySQL password for your WordPress installation is listed in the
wp-config.php file. If you allow access to your MySQL server from
the outside world, an attacker armed with this username and password
is free to make changes to your database, even making themselves an
administrator. So before doing the installation, I changed my
password to MySQL.
One plugin I use with WordPress is Automatic WordPress Backup.
This makes daily backups of my WordPress installation and stores
them on Amazon S3. What I realized after this hack was that if the
attacker had gotten access to administrator privileges, he could
have wiped out every single backup I have. Worse yet, they could
gain access to my access keys for Amazon S3. I went in and changed
my Amazon S3 access keys.
What I’m doing differently
I will be keeping up on WordPress updates!!!
The wp-config.php file, which contains some very important
information on your WordPress installation does not need to live in
a web accessible directory such as your main WordPress installation.
I moved it up a directory. For example, if you installed WordPress
in \~/public-html/, you can put wp-config.php in \~/.
Once my installation was completed, I created a user for myself and
made it an administrator. I then logged in as my new administrator
account and deleted the default administrator. This protects against
hacks that target the default admin account.
I switched to Disqus for comments. The blog only had one user, and I
didn’t want to worry about being hacked giving up reader
information. By using Disqus, I let them handle it. 🙂
I installed the CHAP Secure Login plugin for WordPress. This
protects logins by encrypting the password. Since I don’t have an
SSL certificate, my password would be “in the clear” without this
I will be automating the download of my backups from Amazon S3.