My Wordpress site is hacked too

wordpress

#1

My site was hacked yesterday. I’m using the lastest Wordpress (3.2.1)
I edited the files and remove the bad code.

But today is back, there’s a hidden iframe on the code, it’s back, this is the code

I googled the site but no result.

Yesterday there were a lot of links too, these:

<a href="http://www.fernandomgalan.es/tag/religion/" title="viagra jelly">viagra jelly</a> <a href="http://www.fernandomgalan.es/tag/representacion-estudiantil/" title="viagra oral">viagra oral</a> <a href="http://www.fernandomgalan.es/tag/social/" title="viagra rrp australia">viagra rrp australia</a> <a href="http://www.fernandomgalan.es/tag/universidad/" title="viagra suppliers in the uk">viagra suppliers in the uk</a> <a href="http://www.fernandomgalan.es/page/3/" title="which is better cialis or viagra">which is better cialis or viagra</a> <a href="http://www.arbdesign.dk/" title="cialis for women">cialis for women</a> <a href="http://www.arbdesign.dk/contactus/" title="cialis forum">cialis forum</a> <a href="http://www.blog.arbdesign.dk/" title="cialis free sample">cialis free sample</a> <a href="http://www.blog.arbdesign.dk/2009/04/24/website-for-rental-villa-in-provence/" title="cialis stories">cialis stories</a> <a href="http://www.arbdesign.dk/about/" title="cost of cialis">cost of cialis</a> <a href="http://www.arbdesign.dk/clients/" title="coupon levitra">coupon levitra</a> <a href="http://www.arbdesign.dk/labs/" title="Order 40mg cialis">Order 40mg cialis</a> <a href="http://www.blog.arbdesign.dk/2008/04/25/cms-and-intranet-based-on-wordpress/" title="order 100mg cialis">order 100mg cialis</a> <a href="http://www.blog.arbdesign.dk/topic/rotaboard/page/2/" title="order 20mg cialis">order 20mg cialis</a> <a href="http://www.arbdesign.dk/clients/planningboard/" title="order 5mg cialis">order 5mg cialis</a> <a href="http://www.companiadepalmeras.com/" title="Lowest Prices For Cialis">Lowest Prices For Cialis</a>

No luck on Google too. Could not find any help or why this is happening.

Does anyone have a clue? What can I do to stop it?

Thanks.


#2

I don’t deal with WordPress much but there are something you must do.

  • make sure your config files are read only
  • most of the open source apps come with an installer script and suggest you to remove the install directory after installation
  • check your log files
  • check your bash history

Hope you can find some clues.


#3

The suggestions from patricktan are good, but if you don’t know what some of those things are like bash history, you’ll need to read through a few blogposts I recommend.

this is good: http://codex.wordpress.org/Hardening_WordPress
This too: http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/

you might need to adjust a few things, the 2nd article is a few years old but most of it still holds water and its recommended. Also make sure you follow the instructions on installation so that all the permissions are set properly. If this keeps happening, I would even restrict access to the admin only to your IP Address so only you can loginto the admin panel.

Hope this helps.