Was Wordpress Hacked by SQL Injection Vulnerability?

I’m not so quite so satisfied with Wordpress at the moment. One of my blogs got hacked into seemingly effortlessly by a hacker. I was trying to track his footsteps by examining my log. I noticed that the hacker used one of the search engines to find all instances of Wordpress on my shared hosting IP address and server then he hacked straight into my admin screen at the very first attempt – no cracking involved on the password – just straight in!

I dug around a bit and noticed that he had also hacked into several other wordpress blogs that happened to be on the same shared hosting. Fact is I would not even have known the blog had been hacked if he had not left a post advising that the blog had been “hacked by XXXXXX” with an invitation to email him on a hotmail account, same on the other blogs. Scanning around using google I could find qute literally hundreds of other blogs (and other php/mysql based software) hacked by the same person, plus links to a defacement hackers web site where there was a scoreboard of defacement hacks achieved.

From finding the blog it took literally 2 minutes to deface it by overriding the admin password, uploading some dodgy php files doing goodness knows what, doing something with the theme editor. Disconcerting to say the least. I also scanned around on google to see if there was any information as to how this could have been done and found very little infomation other than to upgrade to the latest version of Wordpress. There was a bit of waffle about using secure passwords but not much concrete to go on.

My suspicion is that the hacker has first overriden the admin password by using a technique called SQL injection. Basically this is where a hacker simulates a browser session by invoking a call to a php program with known vulnerability (or validation loophole) by passing arguments that are then used in a mysql call by the php program to update in this case the password. My understanding here is a little sketchy at the moment so apologies to any techies who understand this process better than I do. Once into the admin password is changed the hacker can log in and do all sorts of no good using the standard admin functions.

Here are some of my ideas ideas to protect our valuable blogs from these evil hackers?

1. Back up your website regularly
2. Back up your mysql database regularly
3. Upgrade to the latest version of Wordpress so that any known vulnerabilities have been patched
4. If you are quite technical, when hacked try to do a little digging around and broadcast your findings to the wider wordpress user community
5. use PHPMYADMIN to find your encrypted admin user password – save a copy of this then you can use PHPMYADMIN again to restore your password if hacked.