A few days ago I received this e-mail from DreamHost (great hosts btw, can’t recommend them enough):
I’m very sorry but I had to disable /index.php. It had
been compromised by a hacker and was being used to execute commands on
the server. It looks like it was WordPress. Please be sure that you are
running the latest version of WordPress.
I disabled the file by merely renaming index.php to
My first reaction was “holy shit.” My second reaction after a moment of thought was full of questions, most importantly was anything on my blog deleted/altered (answer turned out to be no from what I can tell).
I had just updated to WordPress 1.5.2 less then 24 hours earlier when it literally just came out, which fixed a big security hole. Using logic, I guessed that whatever DreamHost observed going on with my account happened before the upgrade.
After exchanging e-mails with DreamHost a few times to see if I could pinpoint when they observed this hacker activity, I decided to do the following steps:
- Reinstall WordPress 1.5.2 from a freshly downloaded copy to ensure it wasn’t compromised and files altered.
- Change my blog user account password and MySQL database password.
- Upgrade to Bad Behavior 1.2, although that has more to do with spam then anything
- Install WordPress Database Backup 1.6 to do backups of my WordPress database
- Install WP-Cron to schedule daily backups of my WordPress database
This is ontop of already using mod_security for a long time and already tough to break passwords.
The net effect of this: I will now have daily backups of my WordPress database, my WordPress installation is as secure as it can be, and I will have piece of mind.
I plan to map out a backup strategy so I can organize these backups. More on that later.
Thanks DreamHost for informing me of what happened. Because it set off a flury of improvements that I made to my blog’s security situation.