I just spend half day cleaning client's website from intense attack targeting outdated timthumb vulnerability.
Attacker discovered inactive old theme (canvas) within website, scanned for thumb.php and planted external malicious PHP script inside website.
Then through that planted malicious script - infected about 100 of other PHP files overwriting header of each with malicious code.
This type of attack couldn't be cleaned up just by reinstalling wordpress as attacker could use <i>any</i> of newly infected files to re-infect the whole site again.
Luckily her website was hosted at <a href="http://hostrum.com" rel="nofollow">http://hostrum.com</a> where she had a detailed report of all suspicious files that are suddently appeared.
Lessons:
1. Make sure your hosting company has realtime malware notification and protection. Very little number of hosting companies do that.<p>2. Do no keep uninstalled old themes or old plugins - they can be used as a backdoors into website. Delete them if not used.
I had an attached comment with this information but want to break it out as it will likely be useful to people without lots of time dealing with the various ways Wordpress can/will (mostly will) get attacked.<p>First: Double-check your folder and file permissions. A lot of plugins like and love very open folder permissions so they can write stuff everywhere. Be very careful with changing permission on core Wordpress stuff! If for instance you give the web-server write permissions to the core, you're going to have a bad time. This is made worse by the fact that many people are used to using the wp-admin 'upgrade' functionality. In my view this is beyond awful. A lot of WP exploits would be made much harder by just not allowing this and manually upgrading the Wordpress core. It's very easy anyway.<p>Second: Disable the following PHP functions in php.ini on the server hosting Wordpress<p>disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source<p>You can just add that line anywhere in the php.ini, restart apache (or php-fpm if you're using that) and you've suddenly blocked 99% of the Wordpress and greater PHP attacks against your server. Essentially you'll run across some PHP scripts eventually that want one or more of those permissions. If they do, run them on a server separate from Wordpress and also keep the application way up to date (or you'll have a bad time).<p>Third: Install and keep this handy <a href="http://wpscan.org/" rel="nofollow">http://wpscan.org/</a><p>WPScan allows you to do a URL/folder based wordpress scan looking for vulnerable files, wordpress versions and plugins. It is a very good tool to keep handy if you host lots of Wordpress sites.<p>Oh, one more little thing. The timthumb vuln issue someone mentioned below... keep this handy for newest version <a href="http://timthumb.googlecode.com" rel="nofollow">http://timthumb.googlecode.com</a><p>Any questions?
The specific vulnerability mentioned in this article is only exploited when a comment containing dynamic snippets is posted. Most WP blogs use comment moderation of some sort to prevent spam and that prevents this attack from being widely exploited, in my opinion.