After my WordPress website was hacked into, I began to look into all the options and advice for setting it up securely.
http://codex.wordpress.org/Installing_WordPress

Step 1: Getting the Latest WordPress Version

I like to use the shell for this since it saves on downloading it on one of my computers and then transferring it onto a remote server. Login to your file hosting server with the shell account you assigned to your domain. Navigate to a directory where you want to work from, keeping in mind that it doesn’t have to be the directory that is set to be public on the Internet (i.e. where the files placed here can be reached via a browser). At the prompt, run: wget http://wordpress.org/latest.tar.gz

The above link will always download the latest release. Now you need to decompress this archive, run: tar -xzvf latest.tar.gz

In your current directory, you should now have a directory called wordpress that you can rename to anything. You will be pointing your URL address to this folder as your root.

Delete readme.html from the wordpress root directory as this will tip off the exact version you have installed to possible attackers.

Step 2: Changing the wp-config.php File

Fill in the information related to the database you’ll be using in the following defines: DB_NAME, DB_USER, DB_PASSWORD, DB_HOST

You should always change the default database table prefix from wp_ to something a bit harder to guess. In most installations, people will have one database devoted strictly to WordPress, so you don’t even have to prefix the tables with wp_; just create a random alphanumeric string (about 4-6 characters long) and use that as your prefix.

$table_prefix  = 'wp_';
$table_prefix  = 'rRe342_';

Pay attention to the Authentication Unique Keys section and be sure to get a new generated set from the WP secret-key service https://api.wordpress.org/secret-key/1.1/ as it says in the comments area.

A good discussion of other wp-config.php options is found here: http://codex.wordpress.org/Editing_wp-config.php

Step 3: Creating Directory-Level Password Checks

htpasswd -cm /home/<username>/<website>/.htpasswd <new username you want to create a password for>

use the -m for MD5

Step 4: Changing the DreamHost Server Settings to Point to Your New WordPress Installation

To run the WordPress install script, you will need to change the settings of the server to point to your WP root directory (the one created during the decompressing of the archive in Step 1). For DreamHost Web Panel users, head to Manage Domains found either through the Toolbox shortcut or under the Main Menu Domains heading. Find the domain (or sub-domain) name you want WordPress to be shown from and click on its Edit button. Now fill out the Web Directory textbox to map onto the WP root directory.

It may be handy to have phpMyAdmin open and ready for the database you’ll be using as you’re going to want to modify a few things.

I was looking over some settings on my website earlier and I just happened to check on my Google Webmaster Tools account where I discovered that something was not quite right. Google’s site crawler was reporting that there were 24(?) unlinked pages on one of my WordPress pages. I clicked through to find that there was an entirely new directory (/pdd) on my website that linked to a radio podcasting site from the Netherlands. But that directory didn’t exist! Here’s the worrisome part: whoever managed to hack into my account was able to change my root .htaccess file. So they created a new rewrite rule to route the tiago.kamots.net/pdd requests through another vector.

The Altered .htaccess File:
RewriteEngine On
RewriteRule pdd/(.*)/(.*)/(.*)/$ /wp-admin/includes/?post=$3|$1|$2 [L]
RewriteRule pdd/$ /wp-admin/includes/ [L]
RewriteBase /

Whatever changed the .htaccess file was smart enough to create the new rewrite rules near the top of the file for full effect. Had it simply been appended, it would not have worked.

I transferred a part of the Kamots Network from Netfirms to DreamHost on January 15, 2010, and I originally thought that it was during this small window that the attack was made. But I was wrong. I checked back on the Netfirms servers and there were several files with a last modified timestamp of interest (November 15, 2009). They are (using relative pathnames):

WordPress root directory represented as ~
~/.htaccess [Last Modified: 2009-October-23]
~/wp-includes/class-read.php [8 KB]
~/wp-includes/common.php [0 bytes]
~/wp-includes/wp-common.php [69 KB]
~/wp-includes/wp-vars.php [0 bytes]
~/wp-includes/wp-version.php [105 bytes]

When transferring these files to my desktop computer, my Norton Antivirus detected a High severity PHP.Backdoor.Trojan in wp-common.php. It turns out that this file was written by a “security group” in China, which is also where 90% of my spam messages on WordPress originate from. You can download this toolkit off of this group’s website so there is a strong chance it was used as part of an automated/scripted attack by another entity entirely.

Running a Hidden Website Within a WordPress Installation

What interests me is how this attack was able to implant 46 hidden pages within my WordPress installation. For example, this URL:

http://tiago.kamots.net/pdd/41/hoor/hoorspelcast-raquo-gezocht/

actually gets redirected through the .htaccess rule into:
tiago.kamots.net/wp-admin/includes/?post= hoorspelcast-raquo-gezocht |41|hoor

But none of those 46 pages are anywhere in my database or file structure! What an ingenious exploit, and it’s been known since at least 2008 which is the date that this wp-common.php Trojan file was written.

This was quite a learning experience.

Netfirms
You may need to look into your file system security. And shouldn’t you have an antivirus scan of some sort running on your servers? Also, your FTP users are limited with passwords of only 6 characters. That’s way too small! Since you randomly generate them for your customers, you may as well go all the way and have longer (and more complicated) passwords created.
Good References
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://enthusiasm.cozy.org/archives/2010/01/argh-blog-hacked
http://www.askapache.com/htaccess/htaccess.html