Hey ron, it took me a while to find the problem. I just started looking at the settings and I noticed that the upload folder had been changed to “/../../../tmp” which looked suspicious. So I started to look at all the wordpress tables in the db and I saw a plugin that I did not add. It contained a .txt file that was sure enough in the ../../tmp directory. I took a look at that file and found it contained the text “Magic Include Shell” along with some malicious php code. I did a search for that in google and found the site linked above.
To put a server level password on wp-admin, add a .htaccess file. Here’s a site with lots of tutorials on that: 😉
This happened to me too and that solution did not work for me. If you go to your Options > Miscellaneous page and the upload directory says something like “/../../../tmp”, then you were hacked. Here is what I found to solve the problem:
magic-include-shell
