My WordPress script was vulnerable?

I have always respected podz’s suggestions and kind of took the one in this thread to heart and wrote back to my provider the same basic verbiage that he used in his post. They replied with this:

If you upload a script to your web site that allows anyone to add/edit/delete files within your web site, that has nothing to do with the environment of the server. The script allows anyone to add/edit/delete files within your web site and that is what they are using. It has nothing to do with the environment of the server. You need to keep all scripts within your web space up-to-date on a daily basis – basic webmastering.

We do not provide webmaster services. If you need help in keeping your scripts within your web space secure, and up-to-date hire a webmaster.

Now, I’m totally stupid here. How am I supposed to keep all scripts within my web space up-to-date on a daily basis? What does that entail?

I know you guys said to change hosts, but I looked into it and the deal I have is so great (other host providers I read about charge huge fees!) that I’ll just try to solve this security vulnerability some other way.

I was thinking about backing everything up. Copy and pasting all my entries to Word. Nuking my site, as if I was a totally new client of my host provider. Installing the latest WordPress and then pasting all my entries to that. I only have 95 posts and I think a third of those were picture collections, so it wouldn’t be a big deal to paste them in.

The big problem would be setting up the categories again. I have 101 categories, because the way I had my site divided into people, places, things, and ideas (for future expansion). That would be a major pain in the butt to put back all those categories, ’cause they all have descriptions that go with them and they’re organized nicely into sub-cats and sub-sub-cats on the frontpage, which uses a java-based open and close tree-like display for them, which I really like, but can’t remember where I got it or how I installed it.

There are also other variables involved with a virgin install, as I’m sure you can all understand. I’m just wondering if this would be a good idea, or is there something less drastic that I could do that would bring about the same high level of security?

your host was spot on in the first thing they told you regarding file and directory permissions, and that someone was able to and probably did, in fact, upload a malicious script to spam.

permissions are key.

files need to be readable but NOT WRITABLE == 644
directories need to be accessable, but NOT WRITABLE == 755

—

There is a very good level of security built into apache, as long as basic common-sense is applied.

Thanks, whooami. Sorry to drag this problem out, but my time is limited and I’m not working on my website everyday now. (That, coupled with my ignorance about these things, is probably why it got hacked.)

paraphrazing podz:

Check the users for each app in mySQL. Delete all but you. Change all your passwords to long complex strings, such as 8Jik:mNiP(d/GDF53]

CHMOD every file to 644
Every directory to 755

Is that what I should do, AFTER going through the upgrade steps for WordPress 2.0 to 2.01?

Something else concerns me. Some of you keep mentioning “apache” which, if I’m not mistaken, is controlled by my web host. Could the hacker have gotten into my website through a file that I don’t have control over, but they do? Is that why some of you said to change hosts, rather than try to deal with the problem from my end (as they suggested)?

I just left the same host you have. And though they are cheap, their customer service skills reflect in the cost. Definitely not enough savings worth the blatant disregard for an issue on their end and the way I was treated, as if I was troubling them, or “calling them out”. Ultimately they blamed another site for being a resource hog. Funny thing was, I was due to renew in 2 weeks, and was looking at a much larger package. Guess they have all the business they need.

Don’t delete any files before doing a full backup, including the databases. Cpanel has a backup that will automate the process for you. YOu should be able to import your database into a new WP, be it on this site, or another.

And I’d follow Podz’s instructions regarding the database users before upgrading.

It happened again. My website security was compromised. Someone was using a script on my site to send out spam that used up large amounts of bandwidth. I followed all of the aforementioned suggestions and it didn’t seem to matter. Now, I can’t even check the logs as to what actually took place, as my webhost terminated my account. So, now I’m looking for another host.