I upgraded to the latest version of WP last week. It went well.
Yesterday I was editing my site and got locked out - I had to reset my password.
Half an hour later, it happened again. I thought it was really strange. I was doing a bunch of rapid edits very close together and I thought maybe it was some new security feature, that WP was locking me out. I meant to cruise through the codex to find out, but didn't have time.
Later that evening, my latest password still worked so I forgot about it.
Around 7:40 last night, my domain was running a Bank of America phishing site out of my images directory, which is where my WP installation is set to upload files.
My host, The Planet, suspended my site when they realized what was going on. My host won't un-suspend my site until they think I've made my WordPress installation secure again.
With a new pwd from my host, I was able to FTP in and delete a bunch of malicious PHP scripts from my images dir, but I'm not sure how my WP installation was compromised in the first place. No one else uses it but me, and I always edit it from behind a firewall and I can't think of any way my password could have been intercepted. (I'm an engineer at an ISP, btw.)
I desperately need comments, advice, links to security articles, etc.
Any advice would be deeply appreciated.