Last week we mentioned a few plugins about finding and cleaning hacks. With that same client, we found a new vector of attack that is immune to a lot of the new tactics. In one instance, we found that the code was placed in clear text, rather than obfuscated by base_64 encoding. Basically, the new code was hiding in plain site and was not being examined by the other exploit scanning software. The way the attacks are occuring, seems to suggest that WordPress hack attacks are evolving.
Another interesting development was that after tracing down the attacker through the access logs, we found that they were actually getting into the system by using an exploit in a non-active theme file. Remember, even if your theme is NOT active, it can still be accessed via the web. (Default themes like Twenty-Eleven and Twenty-Ten can be vulnerable).
Our advice is:
1.) If you aren’t using it, remove it. This goes for plugins/themefiles.
2.) Keep EVERYTHING up to date. Plugins/WordPress/ and server patches.
3.) Run exploit scans every once in a while.
4.) Always make sure you have access to the web server logs, even if you are on a shared hosting plan.