This site was recently hijacked by some Script Kiddies from Vietnam who made use of the “‘cache’ shell injection exploit” that is well-documented and easy to find all over the web (The poor lads are going to be really surprised when some friends of mine give them a good ass-kicking. I hope to have some video soon). The issue has been discussed at the WordPress support site here and here, but some of the discussions are technical and may be difficult for the average WordPress user to follow. The attacks are centered around the WordPress 2.02 internal caching mechanism, which I didn’t even know about, that appears to be automatically configured when setting up a WordPress v2 site. Who knew? This exploit will obviously be addressed in the next version of WordPress (as well as the simple md5 “encryption” of the user passwords in the database), but until then it might be a good idea to disable the WordPress cache by editing the wp-config.php module and adding this bit of code:
define('DISABLE_CACHE', true);
The wp-content/cache folder should be removed using an ftp tool and, with some luck, won’t be recreated.
Thank you to Rok for the cache disabling code.