After seeing that I possibly might have had some exploits run on my site again, I upgraded to wordpress 2.8
After reading up on hardening wordpress, the official site mentions AskApache, some plugin that helps hardening. I’m not too sure about it yet, because it wants to be writing .htaccess files in my directories and for that I have to open up more than I would want. But hey, let’s give it a go.
At some point it creates a username and password that you choose. I go on and configure stuff, not knowing very well which of its many modules I’m supposed to activate, or why.
I forget about it, and ten minutes later I check my mail. I have a mail from AskApache. With my login details. And the password in plaintext.
Is the WordPress security model just fundamentally broken ?