I found it the hard way, that some customer site were attacked by “SQL Injection”.

This left me feeling disheartened, depressed, and extremly disappointed by what happened.

I went ahead and setup lately a test WordPress site with the default installation from fantastico and sure enough the site was hacked.

Unfortunately, a default install of WordPress is not secure as anyone would wish, therefore the need for extra preventive measures is essential.

What happened here is that the hackers updated 2 records in the options table. These records show a blog name and the site’s url.

To fix the issue, I just updated these 2 records and sure enough the site was normal again.

To avoid this you need to make sure, no one has access to the wp-admin directory.

Here is how you can do it:

Create a new file and call it .htaccess ( hyper text access ) and store it in the wp-admin folder under your main WordPress installation.

.htaccess files provide ways to control access on a per folder basis, so you can create a copy in every folder you wish to control and secure access.

Add the following and save the file:

# allow requests for images, CSS and some JavaScript files only
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

# allow only from your ISP
Order deny,allow
Allow from 00.000.00.000 #That’s your static IP
Deny from all

Substitute 00.000.00.000 with you ip address. You can easily find it by going to http://showip.net.

This will allow only from your browsing location. If you want to have the flexibility widening the range to access the admin area, just enter 00.000.00. instead of 00.000.00.000

Test by going to the Site Admin and log into your admin area.

You should get in with no issues.

Log out, log in again from a proxy site. You should go to a file not found error page.

Please do yourself a favor and do it. If you need any help, let me know.