RE: Username – admin Since version 3.0 the installer asks the user to provide a username for the main account, you obviously won’t get this option if you upgrade from an older version(because it’s not a new installation). You can see an image of this here: http://codex.wordpress.org/Installing_WordPress#Step_5:_Run_the_Install_Script RE: Blocking malicious users There’s no real effective … Read more
The parent directory (which I don’t have access to) uses htpasswd, but I can override this for my directory only by adding Satisfy Any to .htaccess. This fixes the issues I was having. I’m ok with disabling the authentication temporarily to run a scan and turning it back on afterwards. More info on disabling htpasswd … Read more
Yes, this seems to be appropriate use of insert() method, which does call prepare() method on data internally. Note that %s is considered to be default for it and can simply be omitted, if no other data and formats are involved.
My process for cleaning a hacked site includes changing all credentials (user/pass) on hosting, FTP, WP (don’t use an admin-level user called ‘admin’) updating everything- from the repository – WP, themes, plugins. Remove old/unused plugins and themes use FTP of file manager to check every folder for files that look out of place (look at … Read more
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
The web installer writes configuration data into that file. It needs write access for that. I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
There is no “WordPress Firewall”. A firewall acts either on the network or on the host, never on a later stage such as a specific software running on a server. Everything that claims to be a firewall specific for WordPress is a scam. See the linked Wikipedia article for the details.
I recommend these basic things: Never touch core files! Always update core and plugins Use strong passwords Don’t use abondoned plugins or themes Use a well maintained security plugin (like wordfence?) Of course you can use more security tools and settings for server e.g., but this should be the basic.Maybe there are more things to … Read more
Figured this out after finding this page: http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/ That page contains the instructions I was looking for, exactly! I tweaked the dl-file.php code slightly to meet my needs: if ( !current_user_can( ‘read_private_posts’ ) || !is_user_logged_in() ) {