A few days ago I received this e-mail from DreamHost (great hosts btw, can’t recommend them enough):


I’m very sorry but I had to disable /index.php. It had
been compromised by a hacker and was being used to execute commands on
the server. It looks like it was WordPress. Please be sure that you are
running the latest version of WordPress.

I disabled the file by merely renaming index.php to

My first reaction was “holy shit.” My second reaction after a moment of thought was full of questions, most importantly was anything on my blog deleted/altered (answer turned out to be no from what I can tell).

I had just updated to WordPress 1.5.2 less then 24 hours earlier when it literally just came out, which fixed a big security hole. Using logic, I guessed that whatever DreamHost observed going on with my account happened before the upgrade.

After exchanging e-mails with DreamHost a few times to see if I could pinpoint when they observed this hacker activity, I decided to do the following steps:

  1. Reinstall WordPress 1.5.2 from a freshly downloaded copy to ensure it wasn’t compromised and files altered.
  2. Change my blog user account password and MySQL database password.
  3. Upgrade to Bad Behavior 1.2, although that has more to do with spam then anything
  4. Install WordPress Database Backup 1.6 to do backups of my WordPress database
  5. Install WP-Cron to schedule daily backups of my WordPress database

This is ontop of already using mod_security for a long time and already tough to break passwords.

The net effect of this: I will now have daily backups of my WordPress database, my WordPress installation is as secure as it can be, and I will have piece of mind.

I plan to map out a backup strategy so I can organize these backups. More on that later.

Thanks DreamHost for informing me of what happened. Because it set off a flury of improvements that I made to my blog’s security situation.

2 thoughts on “Hacked

  1. Is it possible that the fact that you upgraded to WordPress 1.5.2 so early could have something to do with it? The files in the 1.5.2 release were silently changed after the release was announced – see this post.

  2. It is possible. I did see that post about the different versions of 1.5.2 right after I got the e-mail from Dreamhost. I don’t know which copy of 1.5.2 I originally had. That is one reason why I did a reinstall of 1.5.2 from a freshly downloaded copy of it…so there was no chance of a problem.

    However Dreamhost could not tell me exactly when the hack occured (it could have been a week ago or the day of 1.5.2) without having me go deep into the logs. Not worth the time or effort really. So I still don’t know when the hack exactly occured.

    Either way, things appear to be ok and back to normal.

Comments are closed.