Yesterday afternoon I decided to randomly check on a client’s site as I wanted to see if they had added any of the new content they were planning on with any success. But what I saw instead of their site was upsetting. The site was now a blacked out screen which said in bright text “Hacked by [hacker's name].” I immediately attempted to log in to the backend of the WordPress installation, and found that while I could gain access using a low-level user account, I couldn’t gain access with my admin account. I was able to see two things of importance right away when I logged in on the low-level account. One was an error message stating there was a problem with my chosen theme, and the other was that my email had not been changed on the admin account, so I was able to log out of the low-level one, and request a password reset for the admin account.
Once I was in with the admin account, I did two things. I reinstalled the theme the client used, and I reinstalled WordPress fresh. I also logged in to FTP to see what was amiss. The first thing I was there were two extra index files in the root, both of which had been uploaded on the 2nd. One ending in .htm and one ending in .html, which resulted in those files being read before the index.php file, which is the only index file that should have been present. I deleted the two extra index files, and the site was restored.
By this point I was pretty sure the access was granted initially though the admin account, which, unfortunately, was named “admin,” making it an easy guess for a malicious party. I was unable to delete the account even after creating a new administrative user, so went into the host’s control panel to phpadmin and manually deleted the user from the database that way.
Then I reset all associated passwords with the web host- FTP access, control panel log-in, everything. I used the random password generator options, ensuring a rather bizarre mix of letters, numbers, and punctuation signs that would be difficult to guess.
Luckily the damage done in this attack was minor and it was easy to restore back to normal, but it could have been a lot worse. If you are using WordPress as your CMS, take a minute to backup your content once a week, make a list of any add-ons you’re using, and back up your database periodically as well. And if you have an admin account called “admin,” replace it with a differently named admin account, and delete the old one. These things only take a few minutes and make your site safer, and easier to restore should something happen to it. Better safe than sorry!