3

Possible Duplicate:
Protecting WordPress installations

i have control panel access to my wordpress website, but last week it got hacked and i found that the index.php was replced by the hackers file. I am amazed how did the hacker got the access of my folders without c redentials,

Can someone help me on this? How to secure my folders from hacking?

2 Answers2

7

There are many ways to secure your Wordpress website.

First of all, you need to always keep an up-to-date version of wordpress. Very often, the Wordpress team produces a minor release that aims to fix several bugs and vulnerabilities.

It's probably how the attacker hit your website.

Now, if you search in Google, you'll find some interesting blog posts. I won't copy/paste here all the tips, but here are some good ones:

You can also consider using this plugin :

Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
Cyril N.
  • 2,659
  • 2
  • 18
  • 28
5

There are several ways they could've got in:

  1. You've got a keylogger on your machine, which the hacker used to capture your password.
  2. Your admin password just sucks, and they guessed it.
  3. The attacker found a vulnerability in another service you used, and acquired your password from there.
  4. You're running an old version of WordPress with a vulnerability (e.g. SQL injection)
  5. You didn't delete the install directory of WordPress after installing.
  6. Your host was compromised.

Solutions:

  1. Make sure your computer is clean. Keep your AV / firewall up to date, run Windows updates, install the updates for browser plugins (e.g. Flash, Adobe PDF, etc).
  2. Use a good password for your admin account. If your password is a dictionary word, or in this list then you're doing it wrong.
  3. Don't use the same password everywhere, especially when it comes to privileged accounts.
  4. Keep WordPress up to date. You should have an updating feature in the dashboard somewhere.
  5. Delete the install directory, as per the install instructions.
  6. Not much you can do here, unless you're responsible for the management of the hosting.
Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • 1
    You've focused a lot on the security of "your machine" here, and I've seen other blogs/articles about wordpress security doing the same, which always puzzles me. We're talking about a hacked wordpress site here. It *could* be that a hacker first compromised a his personal machine to install a keyboard logger, *then* discovered that they are the administrator of this website, and discovered their password... but it wouldn't be my first guess. Maybe I'm missing something, but surely it's much more likely they found his wordpress site and exploited a wordpress vulnerability. – Harry Wood Aug 23 '13 at 15:11