If you are running an older version of Wordpress, meaning less than 2.8.4, you ABSOLUTELY want to read this.
A worm that can post malware and spam to vulnerable Wordpress installations has recently been discovered in the wild and unless you're running the very latest version of Wordpress, you are at risk. Seriously at risk.
The vulnerability allowing the attack was discovered August 11 and was immediately fixed by the Wordpress team in the 2.8.4 security release. If you are using version 2.8.4 or better of Wordpress, or host your blog on Wordpress.com, you are safe.
Bah... This stuff never happens to me!
If rock star blogger Robert Scoble can be hacked, you probably can as well. This vulnerability is serious, so please treat it as such.
Have I already been hacked?
As Lorelle VanFossen wrote on her blog:
There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER %5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.
How do I prevent my site from being targeted?
It's easy. Upgrade. If you are using a somewhat recent version of Wordpress (2.7+), upgrading is easy since the functionality is now built-in. But if you are not, you should take a look at the excellent InstantUpgrade plugin which makes upgrading Wordpress a single-click operation.
If you have already been hacked, you will need to delete the malicious admin user as well. Changing all your passwords is also strongly recommended.
You might also want to check out How to Keep Wordpress Secure and the My Site Was Hacked FAQ.
How can I keep my Wordpress blog safe in the future?
Wordpress is generally a safe platform. However, we recommend that you always use the latest and greatest version to make sure that all known security exploits are patched. You should also make sure that your passwords are not easily guessable, either by a human or a machine. A password of at least 8 characters which includes at least 1 uppercase, 1 lowercase and 1 digit is generally considered "strong". Following @defensio, @websenselabs and @wordpress on Twitter is also a good way to stay up to date.