Well, my clients site just got hacked for the 2nd time in two months last friday.  Luckily it was resolved and her site is back up and running, but she is obviously very concerned that this is going to happen again.  It was attacked by a phishing scammer installing a fake paypal site on her server.

This time around I did a thorough search of all the files on her site and saw that the .htaccess file had been modified which is probably what was allowing them to get into the site for the second time since I never even thought to look there the last time it was hacked.

We use the most recent version of WordPress and always update immediately when an update is available.  But my question is this.  What else should we look at to make sure that this doesn't happen again?

We changed all the passwords once more and as I said I went through to find any traces of suspicious files on her site server, but I am very worried about preventing another attack on her during her busiest time of year.

I am trying to figure out what program to use to read the server access logs as paypal said if we can grab any ip addresses or anything they may be able to investigate further.

Any advice anyone can give would be greatly appreciated to point me in the direction of any further vulernabilities I should be looking for or what to do to prevent it from happening again.

I still do not even know how they got into her site in the first place, but that is neither here nor there now.

Thank you!

Kathy

oh well gee, that was so helpful! thanks for your thoughtful response.   

Be sure you have enabled archiving under Raw Log Manager if you are on Cpanel. You can download the logs from there and unzip them with 7zip which is free at http://7zip.com. Once you have the access log file, you need to change the name ending from .com to .txt to automatically open it in a text editor like Notepad when you click on it or you can go into notepad and just open it from there with the original name. Look for any suspicious activity like PUTs or really long URLs with mentions of Paypal or webscr in them.

Wordpress is fine and can be secured. Keep it up to date but also keep any plugins up to date. If you look at Plugins in the Wordpress admin section, it will tell you if any are out of date. Lock Wordpress down per http://wiki.lunarpages.com/Keeping_WordPress_Secure . It really works!