This question is really old, but since I've been recently dealing with the same type of attack, here are some very basic things you can do:
- Edit your php.ini file to disallow
base64_decodefunctionality. Find the line that saysdisable_functions =and change it todisable_functions = eval, base64_decode, gzinflate. A lot of these scrips use this function to unpack their files and get them running on your server. This will at least stop the files from auto unpacking. - Change your wordpress table prefix. You'll have to do this in your MySql database as well as your
config.phpfile. The default prefix iswp_and that makes guessing table and field names very easy for 90% of the wordpress blogs out there. It's not a silver bullet or anything, but it'll force them to try to guess what your database names are which could slow them down enough to give up trying to insert things into your database. - Change the name of your uploads folder. Wordpress allows write access to this folder via the media uploader which makes this is a really easy place for them to upload PHP files that contain shell scripts and it's likely you won't see them here. They wont show up in your media library AND they'll be buried in a place you're not likely to navigate to when using an FTP program. Just like changing the default database prefix, if you leave this folder as the default anyone with any skill at all can guess the file path to that folder. We've also gone so far as restricting file types that can be added to that folder to
.jpg,.gifand.pngsince the uploads folder name can easily be discovered by checking the url of any image on your blog. - Get a good security plugin like Wordfence. I've been very pleased with it so far.
- I wouldn't recommend inexperienced users to this, but another good way to keep your filepaths secret is to move your contents folder outside of the main wordpress install (ie application directory). It'll work similar to having a virtual directory, where the URLs on your blog don't reflect the literal file paths. By doing this if they try to upload to directories found in your URL they will run into errors. There's information on changing the location of your contents folder in the codex here
In general, it's a good idea to change all defaults to customize your install as much as possible. There's much, much more you can do and I highly recommend reading up on hardening wordpress and php, but simple things like this will keep out most casual hackers and those using automated vulnerability scanners.
Also know that if they had full access to your server you are going to have to change all of your user accounts. Change your account name. Change your passwords. ALL your passwords, including database, FTP... anything that requires validation is now compromised and if they have those, all the hardening in the world means nothing.
