For the last few days I’ve been trying to figure out how this site became compromised. This is not the first time its happened and probably not the last. Its always fun to get an email from the good folks at Bluehost saying that you’ve violated their TOS and your site is shut down. Every time it has happened it seems like the same type of attack. Somehow there is remote file inclusion, which leads to code execution which turns to full compromise. Last time it happened there was just files littered about in every directory. Easy enough to clean up. This time it randomly patched the WordPress application php files, completely destroying my wordpress install. The wordpress backup also duplicated these files into the backup making restoring impossible.
I chose the easy way out, I took the wp-config.php file and moved it to a completely new set of wordpress files. After some minor configuration changes I was back up and running. Of course I did the required things as well: Password changes, SSH key changes and permission resetting.
Since this is not the first compromise this year, I started thinking about how the attack may have happened. It seems most likely that a plugin was to blame for the remote file inclusion since Bluehost automatically updates WordPress for me. Being more curious about how it happened I’ve decided to put my site on a Git repo so that I can quickly track changes to the files and roll back quickly if I get compromised again. Since I’m on Bluehost’s shared hosting, it will be difficult to get file monitoring so I think running a Git repo is the next best alternative. I’ll let you know how it turns out.
For the record, do not put your site on a public Git repo like Github without sanitizing confidential files like wp-config.php in the .gitignore
If you want to run your WordPress install in a Git repo, do the following:
#> git init
#> git add .
#> git commit -am "Git repo for my WordPress"
#> cd .git
#> echo "Deny from all" > .htaccess #If you don't want the world to view your .git repo