Hi All,
This question is still related to my case in the following thread:
Recently my site has been hacked, and my main question here is:
If someone has been able to alter my file, does it mean that my credentials (userid & password) DEFINITELY has been leaked out ? Or is there still any other possibility to penetrate into the system without knowing my credentials ?
Thank.s
Hackers have many tricks to log in your account. One of the tricks is sql injection. Through this they can easily get your username and password. but this is possible is only when your are using .asp webpages.
This is not my area of expertise, but I’m pretty sure that’s not true. As far as I’m aware PHP is also vulnerable, if not well-written.
No it doesn’t definitely mean your password has been leaked, I recall wordpress stores the password encrypted. However, it would be wise to proceed on the assumption it has been. The hackers point of entry could be a number of areas - ftp, sql injection, incorrect file write permissions etc. It could also be that you are using an insecure plugin, or that the theme was already compromised (see http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/)
Technobear is correct that the scripting language used has no bearing what so ever on whether injection and subsequent malicious database manipulation can be performed - all scripting languages can be used to channel sql injection attacks on connected databases.
denis it doesn’t mean they know your credentials - in wordpress I’m sure your password is MD5d and salted so pretty difficult for people to get it if the passwords is strong enough - anyways in any case you would change your password for everything after this, for them to modify your footer they will most likely have a webshell on your site or some code injected in other files that gains them access.
It’s hard to tell without looking at logs etc - if your on shared hosting they could have came from another site on the server, follow some pretty basic steps below:
Restrict access to wp-admin to preferably just your IP - remove versioning so automatic scanners cannot grab the version and match exploits private and public to test on your site - don’t leave anything lying around, whatever theme your using, keep those files and delete the rest of the themes - keep plugins updated and limited - move uploads folder outside the web root.
The most important tweaks come from a properly configured server.