I just read about a new and nefarious attack on WordPress at the Wordfence website.. Wordfence is a fantastic security plugin for WordPress; if you’re not already using it, you should be. If you administer or otherwise use WordPress for your web presence, you should also subscribe to their WordPress security update newsletter.
Wordfence has uncovered a particularly clever way for a hacker to gain access both to your WordPress installation and, by extension, the ability to run arbitrary PHP code on your web server. The attack works by scanning the servers of a web hosting company for the /wp-admin/setup-config.php file which indicates a WordPress installation that hasn’t yet been configured.
Once this file is detected, the hacker can then visit the URL and proceed to run the automated WordPress installation but specifying the database to be used as one under their control. After a successful database connection is made, WordPress then prompts for an administrator username and password.
Bingo! The hacker has administrator level access to a WordPress installation and can then run arbitrary PHP code to further compromise the server.
Unless and until WordPress modifies their installation process to prevent this, the only apparent way to ensure this can’t happen is to modify your .htaccess to only allow access from whatever IP address you are using to run the installation (you must does this before uploading/installing WordPress).