K this is my first real contribution to BHW hope you enjoy it!

Lately I keep seeing threads where people get hacked by using wordpress, usually when you get hacked using wordpress is by a script kiddie that googled you with a custom footprint for a given plugin you use and gained acces by sql injection.

So here are a few steps to avoid getting hacked by script kiddies:

1. Always install and update your wordpress blog to the latest version!
You can do that by going to http://wordpress.org and checking the current version. They release new updates because of exploits found in their php code so its vital for you to update on time!

2.Before installing any plugins I suggest you go to google.com and type in:

"plugin name" + exploit
Example:
wp super cache exploit

and see what that gives you, look around check the version which is exploitable, if you have the exploitable version don't install or if you have it installed disable uninstall it!

3. Rename your wordpress admin folder when you are not using it!, for instance rename wp-admin to a random name, when you need to get into your admin panel you simply rename it back to wp-admin when you logout rename it back to something random. That will throw away the script kiddie ( I'm referring to hackers as script kiddies) because kids that hack sites through vulnerabilities just for the sake of it are not that smart to find a hidden admin folder.

If you want to permanently rename your wordpress folder and make the new path functional I have found a few links on google

Code:

http://www.rockyrasonable.com/websites/wordpress-change-wp-admin-folder-name

And many others if you just search google for it!

4.Adding a .htacces rule to your wordpress folder

Code:

http://www.howtogeek.com/howto/the-geek-blog/protecting-your-wordpress-admin-panel-from-hackers-with-htaccess/

Now you must understand that sometimes when you are on a shared hosting plan with other sites, hundred of sites, and one of the sites gets shelled, by shelling I mean a hacker manages to upload a script that allows him to upload, edit delete files from the server and sql database, your site is vulnerable as well because the shell allows him to browse through all the files on the server meaning your account aswell! some hosting providers have a protection against this many don't, so some times it might not even be your fault.

This is how a shell looks like

Code:

http://corz.org/corz/c99.php

Now, when you get hacked the best thing to do is the rollback to a backup! because when I used to be a script kiddie I for one used to plant my shells all over the place, so once they deleted my shell I'd still have acces to my other ones .

I'll update this if anythign else pops in my mind also feel free to ask question or to add !

Usefull info
got mines hacked this month

remove all template by, plugin by, theme by
if you don't use comments, remove them entirely from your template
rename file upload folders

The vulnerability in WP Supercache was fixed with recent versions of wp, right?

from what I've red wp super cache is safe now and was safe before, it had an exploit but it didn't expose the website to rooting.