My installation of WordPress was hacked last night. I have deleted the previous installation and installed the latest version, 1.5.1.2, but I do not know if it will be any more secure since the vulnerability 1.5.1.2 fixes from 1.5.1.1 may or may not be related (obviously, I have not been using the “default template” mentioned in the May 27th “Security Update” post in the WordPress Development Blog, but that does not mean that the same vulnerability may not also affect other templates, such as those in the Blix theme).
I am not yet certain about the point of entry, but I have had some suspicions. A new user account was created even though I have always kept the user-creation functionality of WordPress disabled. Thus, I first suspected the user-creation system because I received a user-creation notification e-mail marked 8:40pm and because hacker-uploaded files and hacker-modified files had modification times after that, but now I have my doubts because wp_users.user_registered was set to “1999-01-01 03:40:06″ for the new user account (the wp_users.user_registered value for my own account is “0000-00-00 00:00:00″, which is also rather odd, but probably normal for accounts created during WordPress installation) and because one of the hacker programs connects to MySQL itself.
Strangely, the user account created by the hacker does not show up for me when I click on “Users” in the main WordPress menu; when I do, I see only the “Your Profile” tab with my own profile and my “Level” set to 4. The corresponding field in the database, wp_users.user_level was set to 10 for the hacker. I do not know what my level was set to before, but I suspect it was higher since clicking on “Upload” then “options” results in the following unlikely message for an administrator:
You do not have sufficient permissions to access this page.
Could the breach have been through the upload system? I will continue to look into it, but if you have any further information, please feel to share what you know in the comments.
One of my sites was hacked earlier today (must be one of the shortest takeovers ever, I spotted it fairly quick and repaired it within 10 mins).
I’m not sure how the got in, they emptied the database and stuck an index.html file in the directory.
I’ve upgraded all my sites to the latest version of WordPress (I was still running 1.5), so we’ll see if that solves it.