The first sign of trouble was the following email that suddenly appeared in my Inbox:

Subject: Password Lost/Changed
Password Lost and Changed for user: admin

I attempted to log into my blog, but was unable to. I logged into phpMyAdmin and checked the user table. Somebody had changed the admin email address and and admin password. I quickly changed the email address back to my address and used the forgot password feature to reset the password.

Unfortunately that wasn’t the end of the problems. Later that day I received the Password Lost/Changed email again, and this time I was too late. My homepage looked like this:

Defaced by Hacker Attack

Defaced by Hacker Attack

I am not a security expert, but this did not make sense. How had the hacker got my new password? I called my hosting provider, Bluehost, to tell them about the hack. I don’t remember the customer support persons exact words, so I will have to paraphrase. Basically I was told that they are not responsible for security of my site, there is nothing they can do, even the Pentagon gets hacked, and I should call a security expert so they can assess my site for security problems. Awesome! Can somebody explain why WordPress recommends this company?

Anyway, I was still confused. It didn’t make sense that a hacker had grabbed my password twice, so I looked into it a little deeper. Luckily my site isn’t very busy so it was easy to find how the hacker had arrived at my blog:

Basically, somebody with a Cairo, Egypt IP address had run this search to find the keyword “WordPress” on a specific IP address. The IP address happened to correspond to the server I was hosting on at Bluehost. Why would a hacker be searching for WordPress blogs on a specific server? I have a pretty good idea, but I don’t know the answer for certain, so I’ll let others draw their own conclusions.

Looking at the search results I noticed other sites like donnapinto.com and spaceplans.org had also been hacked. A few weeks later and donnapinto.com is still defaced. Spaceplans.org is now displaying a proud Patriotic homepage. I didn’t check anymore sites, it was clear the hacker had some sort of access to more than one site on the same server. A few days later I found a new home for my site. My next step is to brush up on my WordPress Security. Damn Hackers!