An e-commerce website (used WP E-Commerce as the plugin) that I’ve made for a client has been hacked a couple of times.
Are you up to date with the versions of your WordPress install, plugins, and themes? Even if yes, you may still be at risk. Check the timthumb write up and make sure your theme is not on the list.
http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html
http://blog.sucuri.net/2011/08/timthumb-php-vulnerability-not-only-affecting-themes-plugins-too-vslider.html
The hosting company suspended the account yesterday and after I’d spoken to them, they said that they would change some of the writing permissions.
Not an unreasonable response. But if the compromise is from the hosting company itself then it’s time to move on to another hosting company.
They also said that WordPress is very easy to hack. Is this true?
A stock WordPress install on a secure server is not easy to hack. Insecure plugins and themes however, THAT makes any install really insecure and causes many of the compromises. Timthumb is just a really good current example.
Also, what can the hacker actually get hold of?
Potentially? Anything that is stored in the database, filesystem, or transmitted and received to and from your users to that installation.
Now I’ve changed the passwords, but the guy in the phone said that I might have to rebuild the site, as I can’t even do a backup and a restore (as the backup is hacked).
Did you or your customer have/own the back up or is it the hosting company? That installation needs to be deloused which means:
1 – Check your PC and then change your hosting/MySQL/WordPress passwords (which you’ve done already, I’m just being complete).
2 – The blog owner or you need to backup the files and Databases NOW and keep that backup somewhere safe off of that server.
http://codex.ww.wp.xz.cn/WordPress_Backups
http://codex.ww.wp.xz.cn/Backing_Up_Your_Database
http://codex.ww.wp.xz.cn/Restoring_Your_Database_From_Backup
3 – With the backup safe and sound (MAKE SURE IT’S GOOD AND CAN BE RESTORED) delete all the existing files and directories. Look for hidden one’s as well (.something files).
4 – Get straight from the source new and fresh copies of WordPress, the theme and plugins from the source. Do not use your own copies, they’re suspect. Configure your blog as you need.
5 – Harden your install.
http://codex.ww.wp.xz.cn/Hardening_WordPress
6 – Restore the missing graphics files that your posts reference. Just the graphics and scan them first before putting them back. You want to make sure that you don’t accidentally restore bad-thing.jpg.php.
7 – Setup a schedule for backing up those files and database off server nightly. Backup that install right now. Seriously, the Backup it is your friend and should be respected.
8 – Consume large amounts of coffee or beer depending on you time of day. Leave that one for last.
9 – MAKE SURE YOU ARE NOT RUNNING OTHER SOFTWARE ON THAT SERVER OR SHARING A SERVER WITH OTHER PEOPLE. Sorry for yelling but this is a lot of work and someone else on that server could ruin your day.
It’s a lot of work but by hardening your install, practicing safe coding, and backing up the works regularly then you can (hopefully) enjoy a productive installation. And if it happens repeatedly see step 7 and especially step 8.
Good luck.
