Site Hacked for the fourth time

I’m getting aggravated about this. My footer of my site has once again had a code injection done on it. What is wrong DH? Is there really a problem keeping the box secure?

…it might be possible that you have some insecure things in your site, especially if this has already happened.

some things to check:
file permissions
strong ftp passwords
everything updated in WordPress
you dont have the Admin account enabled.

I agree, the insecurity is most likely not a problem with “keeping the box secure”. It’s far more likely that the site owner has unknowingly introduced a back door by installing an insecure theme or plugin.

I had a local customer that I did other work for call me once and ask me for my thoughts about something very similar regarding a personal website they were maintaining. I suggested it might be a weakness with a WP theme or plugin and the response was “oh no it can’t be, We paid a lot of money to have that done professionally.” In the end-- that was the problem.

You’re running WordPress, so here’s the most frustrating thing about it when you’re hacked: If you don’t clean up every last inch of it right, those Damn Dirty Hackers come back over and over again.

Generally speaking, they get in because of a vulnerability in one of your themes or plugins, OR they’ve got your password. DH servers are pretty secure and so is core WordPress (nothing is 100% in life, it’s a moving target and we’re constantly working to make WP and DH tougher). The problem with plugins and themes is they’re not as rigorously peer reviewed. Speaking as a plugin review volunteer for WordPress.org, most of the insecurities are never reported :frowning:

I’ve been maintaining this wiki page for how to clean up a WP hack: http://wiki.dreamhost.com/WordPress_Hacks

The tl;dr is that you’re going to delete all the WP files except for your uploaded content and your config file, change your passwords, THEN reinstall all the files. I would recommend reading the page if you’ve never tried that before, but it is exactly the steps I go through when I clean up someone’s hacked site.

admin has been renamed in the database. When WP installs it throws one account named admin you can’t change the name of (by UI means).
The problem is wp-content/themes/k2/footer.php in the site. Every other day it seems like it’s file permissions are changed to 777 while a blob of SEO junk is thrown in. This makes it quite obvious that it isn’t a flaw in Wordpress. When I see it I change it to 644 and delete the offending section. I’m thinking of just modifying the theme so footer.php isn’t used.

Is there a way to access FTP records for the site so I can see where the offending attack is coming from?