One of our clients on Bluehost was hacked in the last few days too, but not with this. We noticed today, but I'm not sure when it happened. Here's the script.
Maybe you should tell them to secure their wordpress install instead:
1. Put an IP lock on the login page via .htaccess so that it can't be accessed from anywhere else but your IP - this one change alone can stop a significant percentage of intruders.
2. Add this line to the .htaccess file at the top level of your WordPress install -
<FilesMatch ^wp-config.php$>deny from all</FilesMatch> - it'll make it harder for your database username and password to fall into the wrong hands in the event of a server problem
3. Create an empty wp-content/plugins/index.html file. Otherwise, you leak information on the plugins you're running. One of the easiest ways to break into a wordpress site is to hack through outdated/unsecure plugins. So don't let anyone see what plugins you're running to begin with.
4. In the header.php file for your theme, look for -
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
- this line reveals the version of your install. Again, hackers look for wordpress sites that haven't updated to the latest version, so delete this line and don't reveal your site's version.
First off, thanks for giving out instructions for securing wordpress.
> Maybe you should tell them to secure their wordpress install instead
Hence the ":P", my comment was mostly in jest.
> 3. Create an empty wp-content/plugins/index.html file - otherwise you leak information on which plug-ins you run
It's better to just disable indexes on the entire site. That prevents anyone from poking around.
Options -Indexes FollowSymLinks
> This is a lot more efficient than boycotting wordpress altogether.
Wordpress has a history of being extremely vulnerable. I don't know how much of it is user error and how much of it is related to the way php is normally configured and used.
PHP invites uploading malicious scripts. Something like Ruby on Rails (or Django) has the code for the application loaded into ram. Static files are served out of the public folder, away from any code. This makes uploading malicious scripts useless, provided someone hasn't turned on php or cgi for the public folder. (Which you should never do) Every php application I've seen or worked on has mixed code with static files and the webserver had write permissions to every folder in the application. Additionally, anyone that doesn't abstract from the database with a query generator or an ORM is asking for sql injection.
I can understand your bitterness, one of my earliest wordpress sites got hacked. I just feel that the benefits of wordpress (ease, flexibility, SEO etc) far outweigh the risk of getting hacked.
Not installing Wordpress in the first place is more efficient, but your checklist illustrates there's no reason to throw the baby out with the bathwater.
Indeed. If you use shared web hosting (like Bluehost) there are often hundreds of other websites running on the same server. It is trivial to write a script that runs with the permissions of the webserver to snoop other websites' files. Read the config files (wp-config.php in the case of Wordpress) and you can then access the database directly and wreak major havoc.
http://rayschamp.com/misc/spammer.html