There’s a Wordpress plugin that uploads jpg and png avatars for users.  As we found out the hard way,  do not activate it ever. It’s the exact way how the attacker can get into your files (png can be script). Any plugins/addons that allow your subscribers to upload something (you can allow jpg or gifs for avatars, but better keep it safe) turns out to be DANGEROUS.

Here’s how the attacker gets in the database for Wordpress and starts causing mischief.  In the database appears javascript code that creates a second administrator.  It will have no name but all rights and call itself Wordpress (like a superuser).  So you have no chance to see this user in a list. But, there’s still one place where you can see it (please remember it).  When you’re on the user managing page, theres a list

All users | administrators (1) | subscribers (65)

When you click on the All Users, you will see administrators (2) – so if you know there’s only 1 administrator, the second is an exploit.

Why tell you all this? Maybe you can use this info to save a friend.  It sure is hard running a website to offer information nowadays!