WordPress is great, but the more people that use it, the more “criminals” out there that will target it’s vulnerabilities.
Alex has a detailed write up covering his site being hacked, in My website was hacked – yours could be too! You won’t know until it’s too late.
From the article (read the whole thing):
Yesterday I found out that my website had been hacked. Not only that, but it had been hacked months ago, and I hadn’t even noticed. How did this happen?
I only found out about it because somebody was kind enough to email me to let me know that they saw this on Google
Even the best of us get hacked when we use any “standardized” platform (Windows, OS X, WordPress, Drupal, etc.).
What is WSO? It’s an environment hackers can upload to your server when they find a vulnerability, and use it to access everything on your site. When you’ve been hacked, this is the payload that a hacker wants delivered. It could site dormant for months before being activated. Ever hear about those “Zombie Computers”? WSO is like a bite from a zombie, it can transform your website into anything they want at any time, all they have to do is wake it up.
Did Alex make any mistakes? Maybe … he should have been aware of the TimThumb vulnerability, as most WordPress developers were. Is it his fault? Not really.
Recently I’ve been an advocate of “Purpose Built” WordPress themes and sites. As much as possible, I encourage clients to leverage fewer “plugins” and “themes” as they introduce bloat and complexity. This bloat and complexity allows for security vulnerabilities to hide in all that unnecessary functionality.
Unfortunately, a “Purpose Built” site is more expensive, and typically offers less functionality. It’s like building a race car. You question the weight of everything, you tweak everything, and you are aware of every little piece of code that runs on your site. Why? Because you wrote it all.
It’s also important that all web developers setup a Google Webmaster account, and check it regularly. If nothing else, I’ve had Google tell me when my client site’s were hacked (this wasn’t my fault, they had a virus on their system that gave hackers their FTP password — we traced it back to that). Be proactive if you see this on a client site. Whether or not it’s your fault, your client’s site is losing traffic. Tell them, and be prepared with a recommendation to fix it.
Frequently I find the best thing to do in the case of a WordPress hack, is to re-build the installation. Once you know why it was hacked, you should eliminate the cause, backup your site (both wp-content and the database), and re-install WP. As Alex said in his story, not only was his site hacked, but it installed further hacks in core WordPress files. Sometimes you think you have recovered from a hack, only to find the same hack months later.