Not Quite A Hack, But Lessons Learned
Monday, June 2nd, 2008When I woke up this morning, I noticed an email from this site, congratulating me on setting up a new blog. Wondering what the hell that was supposed to mean, I went to this site, only to be greeted with the WordPress install page (wp-admin/install.php), as if no blog existed.
I figured the MySQL on this server had crashed. I wasn’t too worried about it as I’d backed up all my data late last week anyway. I figured I’d give it an hour for the host to sort out and check back later.
By the time I got to work, the site was indeed back up. I logged into WordPress and immediately noticed that the blog title that usually runs the top of the dashboard was now some long URL with words like “casino” and “gambling in it. All my posts seemed to be there, so I poked around a bit and noticed that the admin email had been changed to a hotmail address.
I quickly fixed this and continued to snoop around, but didn’t find anything else out of the ordinary.
I’m figuring that early this morning, some bot attacked all or a few of the WordPress blogs on my server, ramming it with requests until MySQL bailed. Then, it used the install.php file to try and create a new blog and change the password/contact address. Of course, it failed for the most part, but still…
So, no harm done, but I’m definitely wiser. After an initial blog is created, there’s no reason to keep install.php in your files. I deleted that as well as put several restrictions in place. Much Better.
Here’s a decent list of things you can do to harden and lock down your WordPress install.
