Sherif Elsisi from tdot-blog.com Web Hosting is our guest blogger this week. He shares his experiences and frustrations of how his WordPress blogs were hacked and how he dealt with it. Great read.

I manage a small web hosting business. Lately I had multiple attackers on my customer sites specifically targeting WordPress sites. I was disappointed, clueless, and frustrated not being familiar with WordPress and it’s vulnerabilities.

In the beginning I didn’t know where to start looking. Asking admins at the data center and in web hosting forums I got the same comments:

• Keep changing cPanel password periodically and keep the password hard to guess.
• Always ask all your client’s to keep their scripts updated to latest version at all time.
• Make sure your backups are up to date!
• Check your log files and make sure to block the culprit IP.
• Make sure mod security is installed on your server.

All the above sounds great, but it doesn’t address the root cause. I then went to my customers file systems and checked all the directories trying to find any suspicious files.

Here I found an issue: .htaccess files had a 777 permission and were overridden with code that redirects the site. I thought I solved the issue and advised all of them to review and change any permission if necessary.

I also advised them to always check the permissions after they upload any plugin or any file they change on their local machine. Maybe they have the permissions set this way on their windows system that gets transfered with the ftp.

In the mean time I set up a test WordPress site and watched it. A couple of weeks later the same attacker came back again. This time I was really shocked!

Some customers were hacked for a second time, and others already have moved to another Web hosting service. I was sure all my files looked good and haven’t been changed.

I then went to phpmyadmin and did a dump of the whole database and stored it in a plain file. I searched for the word hack. Sure enough, it was stored in the wp-options table.

The attacker knew which rows to change, in this case the first 2 rows. One changes the WordPress title and the other changes the site’s url. This way he was able to redirect the site to another URL and leaves you the impression that your site was defaced and really destroyed.

I just edited these 2 rows and sure enough the site was back up.

Remember, any database based website has an open connection to the database. Knowing what data to change, attackers can pass bad code to update the database through the browser url or by means of going certain screens in your site.

I am glad that I have changed all my table names and denied access to my wp-admin directories which seemed to resolve the problem. Thanks for all the tips BlogSec