In the past 4 weeks, several Media Temple clients have been reported having their WordPress installations hacked. The cause of the hacks is inconclusive. Media Temple is blaming their customers for not having secured their WordPress installations. Their customers are blaming Media Temple, especially since this sort of widespread hacking was aimed at Media Temple users last year as well. More info about the recent Media Temple hack and fixes can be found here: http://wordpress.org/support/topic/was-my-site-just-hacked-found-random-script-in-all-pagesposts
Although Media Temple isn’t my hosting company, I was hacked very badly last November, and the clean-up wasn’t pretty. I have since cleaned up 3 WordPress sites for clients who were also hacked. I don’t believe in operating from a place of paranoia, but I do believe in hardening your WordPress security as much as possible to help avoid as many potential headaches as you can.
If you’re running WordPress, especially multiple installations of it, please take the security of your installations and databases very seriously.
If you think your site has been hacked or compromised, you should immediately change passwords on your WordPress account, FTP account, database (which means you also need to change your WP config file), email account(s) associated with your domain names, and hosting admin account.
If you’re not currently using the following plugins, I highly recommend you install, activate, and configure them as soon as possible:
- Login LockDown (this plugin says it’s works up to version 2.8.4, but I run it without problems on half a dozen 3.0.1 installations)
- Secure WordPress
- WP-MalWatch
- WP Security Scan (this plugin says it’s works up to version 2.8.4, but I run it without problems on half a dozen 3.0.1 installations)
In addition, if your WP account login name is admin, it needs to be changed. That can only be done by creating a new account, assigning it Administrator privileges, and then deleting the admin user account.
Your password should be a good, strong one, that doesn’t include easy to guess words, or easy to find dictionary words. It should go without saying that your password should not include your name or your business name in any way. Strong passwords include a mixture of uppercase and lowercase letters, numbers, and punctuation.
All WordPress incremental core updates (e.g. 3.0 to 3.0.1) and plugin updates need to be made as soon as they’re available within your WP admin area. Incremental core updates are typically security and bug fixes. Plugin updates are usually the same. Major core updates (e.g. 3.0.1 to 3.1) can usually be made 3-4 weeks after their release.
Themes periodically have updates as well, although it won’t be as obvious as the WP core and plugins. In order to determine if themes need updating, check the Appearance menu, and updates will be noted there.
Deactivate and delete any plugins you’re not using, and delete any unused themes, except for Twenty Ten, which is the default theme.
Any vulnerabilities on the part of a hosting company are beyond your control, but these are things you can and definitely should do on your end.