I've had my site (www.imfaction.com - DO NOT OPEN IT IN YOUR BROWSER) hacked like a month ago. Didn't had much time to take care of it but now found some. If you want to look at the site (not much to see) I recommend you open it in a sandbox environment or virtual machine just in case there's a browser exploit hooked on the page that might infect you. Doesn't seems to be but I can't be 100% sure. Ok, so I had the site hacked about 3-4 times within this month, by 3-4 people. Or maybe just once but he changed the defacement page (less likely). WordPress was at latest version and I had some plugins which were not up to date but when I checked their changelogs there are no security related entries so I don't think that's how they got in. Also my host seems to have issued several press releases about WP exploits. They were unable to figure out how the exploits work though and what was the attack vector. Thing is, somebody seems to know a way in and the exploit is not public. I also have a Piwik install in the same host and though I think it was at latest version when I got hacked 1st time, a new version appeared meanwhile. Had no time yet to check Piwik. I don't think that was how they got in though. Anyway, what I was able to find so far was a mail form coupled with a random-password session script so the hacker protects it from others. Both files are in /public_html/. A PHP shell in /wp-content/themes/ directory. The shell dir contains a symlink to the root dir. Didn't got to analyze what it does. A modified index.php file of the theme I had enabled. This contains the current defaced homepage that is seen publicly. The wordpress credentials were changed. I had a non-default admin username but now it is 'admin', he also changed the email address with another one (free email) and the password. Password is 34 characters which means it is not a MD5 hash. Not sure if WP salts the paswords adding extra characters or it's a hack of the guy who hacked me. There are 2 more themes in the /wp-contents/themes which one is the shell, the other I haven't looked into but is made by one of the hackers. The directories are 'x' and 'shell'. In WP admin interface 'x' appears as a child theme of Twenty Ten default WP theme. Plugins I have installed and enabled: Acronyms 2 Akismet Enable Image Scaling on Upload W3 Total Cache WP-Piwik WP No Category Base Plugins installed but NOT enabled: Accessibility Abbreviation File Inliner MailPress Newsletter Newsletter Sign-Up Sendit WP No Category Base - WPML compatible WP No Tags Base Active Theme: Nest Inactive Themes: Twenty Eleven Twenty Ten My recommendations: 1. BACKUP EVERYTHING. Backup now and backup every time you make updates to the site, or setup an automated backup system. 2. Set restrictive permissions to all files and directories. /wp-content/uploads/ has to be writable, same with the 'cache' directory if you have a caching plugin. The rest should be read-only - both the files and the directories. 3. Uninstall and completely delete all plugins that you don't have enabled. 4. Uninstall and completely delete all plugins you don't really need. That's all I have so far. Will update when I find something new.