We all have worried about our WordPress installs being up to date to make sure we are running the latest security updates. We do this to make sure that the holes in security are fixed as they become known to us. This is all well and good, but there is another vulnerability that we may not have thought of.
How I Got Hacked – A true story by Dan Morris
I need you to know this in your heart so it never happens to you. I got hacked this week making all my sites, including my clients' sites go down and appear as having a virus. Very very bad. But I could have avoided it, had I really thought about this.
In this story, Dan talks about how he did not want his domain anymore, so he just let his registration lapse, letting the hosting on his server just remain there because he did not have a domain pointing to it. Well, in the long run this created a pretty big security hole for his server.
So someone comes along who has malicious intent and registers the domain. They know it used to be registered at this server, so they decide to see what damage they can do. They point the domain to the old hosting account and lo and behold the site is still up and running. Now that they own the domain they can request the admin login information by doing a forgot password. This information gets caught by a catch-all email address so they don't even need to know the exact address. Once they have the new login information they can go in and install whatever they want onto this hosting account, be it a script that then allows them to put whatever files they want wherever they want, or post forms that pretend to be a credit card company asking for login information of unsuspecting customers.
So, even if you bring your WordPress site down by removing or changing the DNS, and when you brought it down it was up to date with WordPress updates, you also need to make sure that you bring down the hosting account, as this can create a huge security hole in your infrastructure.