Lately there there seems to be a hacking spree around old versions of WordPress. Most of the times the hacker will edit your theme files to insert spam links. One of my older and non-active blogs got that problem, and I had several friends complaining to me about it as well when chatting over IM.
I would therefore recommend that all of you run a quick check on your WordPress to make sure it has not being compromised.
How do I find if I have been hacked?
The easiest way to identify the spam links is to open your website on a browser and take a look at the source code. Pay particular attention to the header and footer of your HTML, and check if they are links there that were not supposed to be (usually they are related to pharmacy, drugs, credit cards and related).
If you use Firefox you can also click on “Tools,” then “Page Info,” and then “Links.” This window will show all the outgoing links from the current web page that you are visiting.
Finally, you should also examine all your theme files and your WordPress installation for any file or piece of code that looks suspicious.
How do I fix the problem?
Most of the blogs that get hacked are older versions of WordPress that still have several security bugs open, so the first line of defense that you have is to stay updated with the newer versions. If you have been procrastinating your update to WordPress 2.5 make sure to check the Automatic Upgrade plugin, it makes the process really a piece of cake.
Secondly, you should also secure your WP-Admin folder by allowing access only to certain IP addresses. You can do that by creating a .htaccess file (a simple text file named that way) and by dropping it inside your WP-Admin folder with the code found on the article 3 Must Apply Security Tips for WordPress.
Thirdly, you should also disable the navigation of directories on your whole website, so that people can not view what plugins you are using or other sensitive data. You can do this easily by adding the following line to the .htaccess file located on your root directory:
Finally, if for some reason you can’t upgrade your WordPress or secure the access to the WP-Admin folder only to certain IPs, you can still delete your theme-editor.php file from the WP-Admin folder. This solution is far from the optimal, but it should help in protecting your blog from people trying to add spam links to your theme files.
Ah, and don’t forget to change your passwords regularly as well!