Many hosted WordPress sites were hacked in April and May. GoDaddy in particular had a large number of sites affected. If you believe Slashdot the exploit triggers on traffic referred from Google.
No word yet on how exactly attackers are getting into sites, but several blogs such as here, here and here explain how to tell if you are hacked and how to clean up.
I have yet to see any official explanation from GoDaddy or any other hosting provider. Some sites speculate about brute force attacks on the admin account, but that is unlikely. It looks more like another flaw related to PHP and permissions, similar to the BUZUS attack in April. The result of that was the recommendation to change the wp-config.php permission to 0640 (instead of 0750). Some have suggested attacks come from shared/co-tenant systems where malicious users search for readable wp-config.php files to steal database credentials.
Nonetheless, assuming you have already hardened Apache and PHP and changed your file permissions (755 on directories wordpress, wp-includes, wp-content/themes, wp-content/plugins, wp-admin, wp-admin/js, wp-content and 644 on files .htaccess, wp-admin/index.php), here are a couple suggestions to better protect administrative access to a WordPress installation:
- Change the admin username: locate the user_login column in the user table of your database and change the admin row to something unique
- Create a .htaccess file in the wp-admin directory. You can either restrict admin by IP or by password. Here is an example that will force authentication by password:
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
You also should consider installing the SecureWordpress and WP Security Scan plugins.
In related news, WordPress itself was down today. Apparently over 9 million sites were affected by a network configuration error (spanning-tree).