I’m posting this purely because I hope it will help someone else with a similar problem. I’d searched high and low online for a solution to a WordPress hacking problem I’d had for the past month or so, and it took a while to piece together what was going on. Hopefully this will take the frustration out of the process for others.
…the theme is wrong and needs to be changed.
This was not helpful and no one should ever use these twits for hosting.
- Don’t use the default ‘admin’ WordPress username. Even if you have a strong password (as I did), eventually a bot will be able to guess it and login. Every WordPress site has ‘admin’ as the default administrator username, making it a no-brainer for hackers. If you’re using ‘admin’, it’s fairly simple to create a new user and delete the default.
- See number 1. Really, don’t use the ‘admin’ username. There are endless WordPress websites installed now, making a vulnerability like this an easy target painted across your website (WordPress is probably a victim of its own success on this point). If you’re like me and only know enough to get yourself into trouble (and not back out again), use a security plugin. If nothing else, they will highlight weaknesses in your site. In my case, the hacking was simply annoying; it wouldn’t have taken much effort for the result to be far worse.
Update: For anyone still in two minds about whether these steps to increase security are worth the effort, note that this is now the second most visited post on this site (as of January 2013). It’s reached not by people looking to increase their own security, but by people planning to hack others; found through search engines using terms like “how to hack wordpress admin” and similar. Clearly, this is something that will only become more problematic for WordPress users.