Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Just not having an index.php there won’t cause you to get hacked, nor will putting one there solve that.
In your Apache web server configuration you want to add AllowOverride All and -Indexes.
<Directory />
Options -Indexes
AllowOverride All
</Directory>
That Options line will turn off the ability to view directory contents like that. The AllowOverride permits things like fancy permalinks work.
Make sure you make a backup copy of any file you edit first. If you make a typo here, then your web site will stop working and that backup copy will save you lots of grief.
As for the hacked site:
Start working your way through these resources:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://www.studiopress.com/tips/wordpress-site-security.htm
Once WordPress completes the upgrade the contents is removed. So it should be an empty directory.
So the next time you install an update your index file will also be removed leaving an empty directory again.
If you’re being hacked I would put money on it being absolutely nothing to do with the upgrade folder but more than likely an outdated or poorly coded plugin.
