HACKER = ijq-@hotmail

I’ve now had 4 sites hacked by the same technique…same source (or at least the same footprints left).

Somehow they insert their email “ijq-@hotmail” (yes, with the .com) as the admin then have wordpress reset the password and email it to that address. In subsequent entries they replace portions of the “classic” theme to create a redirect to a pseudo middle eastern splash screen trying to suggest they are some sort of terrorist group. The admin takeover seem to be bot driven.

If you catch it quick…it’s easy to fix. Use PhPAdmin to directly access your database and edit your user table to correct what they’ve hacked — remember to fully delete their password and use the MD5 function to set up correct encyphering of your new password.

DOES ANY ONE HAVE ANY INSIGHTS ON WHAT BREADCRUMBS THE BOT IS FOLLOWING TO FIND SITES TO HACK AND/OR WHAT ADDITIONAL MEASURES WE NEED TO TAKE TO AVOID THIS PAIN IN THE TUCAS? I’ve had one site hit twice despite taking all recommended measures I’ve seen.

My sites have the latest WP install, do not use the “powered by WordPress” footer, I have the Security plugin installed, and I know they are not accessing via cpanel. Themes do not use the encode[] advertising attribute.