How is it possible for a person to upload files to a site they don't have credentials to?

Question

A little while ago I got this email:

hi there,
i am [name], security expert.

your website is not secured. you use a weak password. and you didnt install security to     prevent hacking/malware attacks.
as proof, i upload a file: http://[site]/1337[name].html
dont worry. i didnt edit/change/delete anything of your wesbite. feel free to contact with me to fix security issue. 

cheers
[name]

I checked and the file is there with the content:

hi, i upload this file to proof that your website is not secure. please check your email. 
cheers

This reeks of scam and phishing (particularly the bad english), but I am spooked that this file I didn't create is up on my server.

For reference, I am using a GoDaddy shared hosting server with SSH enabled, and running a Wordpress site with a bunch of subdirectories which have various website personal projects I've worked on, a number using PHP for database (and old Facebook SDK) connections. The file appears to be created by my FTP user.

How is it possible that this person put a file up on my site? How can I patch this security hole? I have already changed my (S)FTP password.

Answer 1

Someone can change files on your server without having any of your passwords. Injection attacks like this are very popular.

Make sure your Wordpress and PHP installations are up to date.It is also possible that you have a vulnerability in a plugin or theme. Make sure they are up to date as well, and be sure to disable any plugins/themes you don't need.