There also seems to be an assumption in what you've written that what happened to me and others was purely because of a personal or site security issue. I have no way of knowing this. Do you? Do you know for sure this is not a WordPress issue or that there is something to be learned by WordPress folks by examining the hack? If so, how do you know this?
Experience, research and the fact I am a nerdy tech sort.
Search the rest of the net, search here, search the rest of google groups. 9 times out of 10, a 'hack' is from bad security on your site or some cretin's idea of jollies in a theme or a plugin that you (the user, not you specifically) downloaded and installed. Now, there is a chance that this is a 'real' hack, but the odds are against it. I did (and do) the research on this often enough, since I work in both IT software and security (paying gig) and I run many sites using WP and other Automatic products. As a webhost, I feel it's my responsibility to keep up on security issues, and after 10 years of that, I feel fairly confident that I know when someone has found a real vulnerability in the core product itself, and when someone has accidentally compromised their personal site security.
Based on the thread you linked to, which I did read in full, I came to the conclusion that the most likely culprit was the r57shell script, which someone uploaded as wp-xmlrpc.php. The hacker was clever. That's a NEARLY legit file name for WP and the casual user would never notice. BUT the file should be xmlrpc.php and it should be in your root blog directory, nowhere else.
Most likely options are these:
- There's a vulnerability in the actual xmlrpc.php file that permitted uploading the bad file (which if so, WordPress has shown, in the past, fast response on those issues)
- There's a server permission vulnerability.
That Google thread may look like a lot of people complaining about a similar problem but it's a drop in the ocean. There's only one post on these forums about it.
Conclusion: Site security is at fault, rather than WP itself.