Unfortunately this post has been prompted by my own security scare! The problem, which surfaced yesterday seemed to center around the .htaccess file in the root directory of client WordPress powered sites. A hacker managed to exploit a file permissions vulnerability in this file in a pile of sites which basically allowed him/her/it to inject some code in there, redirecting any site visitor to http://r1estudio.com/cabanas with the following slightly pointless message:
I had a habit of setting the permissions on the .htaccess file to 666 which is the lowest permission I could give it and still enable WordPress to write things like Permalink, Cache & Mobile configuration to the file. Trouble is I never changed back once I had WordPress configured. The ideal permission for that file seems to be 644 which should stop anything editing it.
The .htaccess and wp-config files happen to be quite important in WordPress so make sure yours can’t be written to. As usual, you learn the hard way.
The same goes for all sites, whether WordPress powered or not. Watch your file permissions and passwords!