My server was compromised due to insecurities with the WordPress upload utility. The utility does not restrict file types to images. It would be nice if this type of a restriction were at least a configurable option. Because the upload utility allows (from my tests) anything to be uploaded, a hacker uploaded a PHP file into the uploads directory where he was allowed to execute it. Regardless of what the permissions should or should not have been in the uploads directory, the file should never have been accepted by the upload utility.