I am not the owner, but I’m definitely curious as to how the breach may have happened. There’s not a huge amount of information but I’m sure people might be able to make suggestions as to how this might have happened.
Running your own Wordpress is like skydiving without a chute. I think if I were locked into WP, I’d go with one of the specialized hosts that take additional measures to prevent and detect such nonsense.
I have to agree. There are too many points of failure with WP.
Once it’s been compromised, you can not trust it again. Reinstall and restore from backups.
I’m also slightly amazed people use shared web hosting nowadays, especially with the slow rise of web applications that expect to be deployed as their own servers, (not as a loose collection of PHP files) the affordability, and power of VPSes. I guess good ol' “secure” WordPress will last a long time though.
Shared web hosting is stunningly cheap. I host a couple dozen blogs for friends and family in the leftover space that comes with my $8/month plan.
Along the lines of not trust it again: I occasionally teach an intro to git workshop. Last year, I was chatting with the audience to get an idea of experience levels and interests before I started presenting. I met a guy who was the lead developer at a small local consulting firm. He said he’d really been looking forward to it, but he didn’t know that he’d be able to pay much attention as he’d spent the day closing a security hole in a client’s site, but he still had to go through every PHP file to check for malicious code left behind. I was stunned, and told him that he should definitely pay attention because finding those additions would be literally one command if he’d been using git (i.e. git diff). In fact, in the room of two dozen web professionals, only two had (minimal) prior experience with source control. It was a surprising reminder for me where average development practices are.
Openshift is also stunningly cheap/free for most use cases.
Nowadays low end VPSes are even cheaper - $2/mo was for a 128 MB RAM VPS in Atlanta, last I checked. That’ll run basic stuff just fine.
If you’re going to the trouble of administering a PHP web application and the hassle it entails, you can manage the system.
I don’t go to the trouble - my host (Dreamhost) has a lot of features that mean it takes under ten minutes to register a domain, configure email addresses/google apps, and have them automatically maintain Wordpress updates.
Looks like the just posted part 2. http://www.bigmessowires.com/2015/07/14/web-hack-analysis-part-2/
Provides some interesting stuff, but doesn’t shed too much more light on the hack.