I've been having a LOT of trouble with a particular client hosting site. We've been developing a business website using Wordpress as a backend to take advantage of the Content Management system. Pretty much since the first day or 2 we set this site up we've been having rampant problems with things mysteriously breaking overnight, coming in in the morning to find that the Admin Dashboard is completely scrambled one day, the next day finding the entire site gone (the dreaded Wordpress 'White Screen of Death').

The domain in question is www.heatherapy.com

The Wordpress installation (under development, so not at the top level now) is www.heatherapy.com/2010

After the last major problem, I was sure to create a local backup for quick restores (Just did this yesterday morning).

Today, I came in once again to find the Admin Dashboard was all scrambled. This after the site had sat untouched by anyone overnight. I couldn't understand why a website would suddenly become unfunctional after simply sitting idle.

I took a look at the files on the server, and compared them to my local backup (taken yesterday) and discovered that DOZENS of PHP files within the Wordpress install had been mysteriously changed overnight. I compared some of these 'tampered' files with the originals, and found most, if not all of them had random strings of code mysteriously written at the top of the PHP file.

Here's an example of what I found stuck into the index.php file ... All this gibberish wasn't in the local version in my backup, can't figure out how it got there.

Starting to get very annoyed at this, I dug a little deeper, and looked through the FTP logs and discovered that not just one, but numerous IP addresses had been accessing the site and FTP'ing modified files to our own server.

Now we did have a similar problem a few weeks back with HTML files on our site being modified, at the time our password was weak, so we changed it to be safe. No problems for awhile, but now this is happening again. I've changed the password again (this time to an even Stronger random generated password) so we'll have to wait and see if this keeps the vandals out.

Considering all of the above .... are there any further secuirty steps I can take on my end to lock out vandals from tampering with this account? Are there any security issues on Sedna itself that could be causing these frequent and aggressive security breaches? If so is it possible to have this account moved off to a different hosting server? I have had more problems with this one particular account hosted on Sedna, than I have with any of my other accounts. As a matter of fact, right now I'm having difficulty connecting to the site (keeps timing out) for the second time in the past week.

I would suggest checking through this guide here for more general advice:

http://wiki.lunarpages.com/Web_Site_Security_Breaches

also, contact support@lunarpages.com or submit a help desk ticket, and they can help with the server side of things.  Chances are there was some vulnerability on your account that somebody was able to find and take advantage of. Let us know how things go here though, and let us know if you have any other general questions we can help out with.

Might also check your file/folder permissions, if you haven't already.  Folders should be set no higher than 755 and files should be set no higher than 644.

I don't know if it's the same vulnerability, but on the osCommerce discussion group they recommend both changing the name of the admin directory tree to something else (unique to you, and unguessable) and password protecting the (renamed) admin directory. In osC the admin name is declared in a PHP file, so it's only one place to change -- dunno about WP.

Over on Simple Machines Forum (SMF) they had a problem (fixed as of 1.1.11) with hackers signing up and placing PHP or script code in their avatars. The fix involves adding .htaccess code to the avatar/attachments directory to bar the running of any code within that directory. There are also checks in place to scan uploaded avatar images for code.

If the WP developers are doing their job, they're checking and validating all user input to make sure no SQL or PHP injections can take place. If you're still being attacked after all this, it probably means the hacker has direct access into your files, through a stolen password (have you scanned your PC(s) for spyware such as password sniffers and keystroke loggers?), too-liberal directory permissions (suPHP should prevent "world-writable" files or directories), or an internal breach at LP (not good news).