So spinchimp.com fell victim to WordPress vulnerabilities lately. If you have a WordPress blog, almost no doubt that you have had or will have these same issues at one point. Unfortunately it is just the way these things work.
They call them 0-day exploits – where the exploit is discovered and shared among hacking communities. These guys then flog the crap out of the vulnerability until it is patched.
That’s what the hoards of Windows updates you get every couple of days are for, and the same applies to WordPress. That’s why they say you should always keep WordPress up to date. This includes all plugins and themes, because they can basically get in anywhere. But no matter what, there is always that window where the exploit hasn’t been patched.
Anyway, something we should have done a long time ago is have some of the much needed WordPress security plugins installed. I’ll link you to a post about the best ones in a sec, but I’ll just quickly go into the best ones.
WordPress File Monitor Plus
Install it and give it an email address. That’s about it. Now, whenever files change in your WordPress directory, you’ll get an email. There will always be nuisance emails when things are changed legitimately, but you’ll just have to put up with it. If you haven’t upgraded a plugin in a few weeks and you get an email, something is probably up.
Once you get the email you jump in and clean up the dodgy code.
BTW, this is a fork from the older WordPress File Monitor, which apparently isn’t maintained any more.
Even after I’d manually gone through every file on the server and cleaned what I thought to be everything, Antivirus (for WordPress) still picked up one more. It scans the theme templates which are a common backdoor, as well as a permalink check. Once again this plugin takes about half a second to set up. Give it an email and tick ‘daily scan’.
Another simple plugin that removes a few things that give hackers more info than they should get. Just get it.
As I didn’t have these installed, we had to do most things manually. If you are in this position, just do a wildcard search on all the files in the domain and order them by ‘Last Modified’ date. Look for a section where mutiple ‘index.php’ and ‘header.php’ type files are changed all in one hit. That’s most likely when you got stung. Then you’ll have to go through manually and delete all the dodgy code.
Oh, and here is the great resource on WP security plugins: http://www.ghacks.net/2010/05/08/5-wordpress-plugins-to-increase-your-blogs-security/