The good news about WordPress is that the development team is very proactive and frequently releases updates that patch security holes reported by other WordPress users. The bad news is that this means that frequent updates must be applied in order to keep WordPress secure.
There are several reports indicating that hackers are taking advantage of recent security holes reported by WordPress users and software security companies. Numerous WordPress users are reporting that their site have been compromised. There have been several security updates since the release of version 2.8.0. If you have not updated your site, you need to update it ASAP. The current secure version at the time of this writing is 2.8.4.
With this hack, permalinks may have been changed and a new administrator may be added that could be difficult to remove. Lorelle covers the issues in an articles named, Old WordPress Versions Under Attack. Unfortunately, an “old” WordPress version may be an update that you installed just two weeks ago.
When you apply the update, it is also a good time to update any plugins that are calling for an update on the Plugins page. Most plugins have been updated since the 2.7.x versions of WordPress. Be aware that many older plugins have not been updated and may no longer be compatible or secure. In some cases, they have been abandoned by the authors and it may be time to look for a new plugin.
Typical WordPress attacks include the injection of a multitude of hyperlinks links added to your content, or malicious JavaScript code that may set up redirects to other sites or reveal passwords. Due to the open nature of open source software, it is easy for hackers to determine which weaknesses have been found and plugged simply by comparing old scripts to the new scripts. This reveals the security holes to the hackers, which allows them to go after older, unpatched sites. Security fixes are good for sites that keep up with the updates, but are a double-edged sword because in some cases they can make older installations of WordPress less secure. If your WordPress site has been compromised, follow the advice found in the Lorelle article.
Be aware that not all attacks on WordPress sites are due to security issues found in the WordPress code. For open source software, WordPress is generally very secure because the development team aggressively goes after vulnerabilities when they are found. Many hacks are due to weak security at hosting companies or the use of weak passwords. There is also a Trojan that is infecting PCs with a virus that sends password files to the hackers. If you use the FileZilla FTP utility and the Trojan virus infects your PC, a security vulnerability in FileZilla may send your unencrypted FTP user names and passwords to a hacker.