It appears there is an attack against WordPress installations that is placing a phony ‘500’ error page on the site that allows additional commands to be executed. I don’t have all the details yet, but one report indicates that there is a brute-force password guessing attack against the ‘admin’ user of a WordPress site.
The ‘admin’ user is created by default on a WordPress installation; that user has full privileges to the WordPress installation. If the owner has chosen a weak password, or ohe that is easily guessed, then the attacker would get full admin privileges to the WordPress site, including the administrative area.
WordPress login process allows for brute force attacks; an unsuccessful login will just let you try again. There might be some delays if you try brute-force logins, but it is possible to keep on trying a WP login.
The attack will put a phony ‘500.php’ file in your site root (and perhaps other places). So a search for those files might be prudent. Delete any that contain unfamiliar code.
Initially, it looks like many sites that have been successfully attacked are also not current in their WordPress version level. So, prevention would indicate these steps:
1) Create a new ‘admin-level’ user with a strong non-dictionary type password.
2) Log in as that user to ensure that all is OK
3) When logged in as the new admin-level user, demote the user ‘admin’ to the lowest level. Leave the user there just to irritate the hacker.
4) Ensure that your hosting account, and any FTP accounts, have strong passwords. Strongly consider changing FTP passwords.
5) Don’t use an FTP client that stores passwords in plain text. (WinFTP does this.). I recommend WinSCP (open source, free) which encrypts FTP credentials.
6) Ensure your WordPress installation is current. Update all themes and plugins on a regular basis.
7) Check for any rogue user accounts
As a further protection, consider a program that monitors files for unauthorized changes. I found a concept for a program that stores file names and checksums in a database, then compares those checksums the next time you run the program. Any new or changed filenames are emailed. I am doing some final testing, but it appears to work well.
Be careful out there!