I have always run version 2.8.4 since its release, and have WP-Security Admin Tools installed and everything was good as far as security, no admin username, database tables not prefixed by wp_, etc. Or so I thought, until today. Now I find the code ;
eval(base64_decode('aWYoIWlzc2V0KCRpZ3AxKSl7ZnVuY3Rpb24gaWd, etc. etc.
inserted into a bunch of my .php files on my website. Nothing untoward is displayed on my pages or links to suggest to me my site has been hacked, the site just doesn't work until I have gone through and edited all of the offending code out of the pages. The only thing I can suggest security-wise is that I do have several plugins installed that have updates which I haven't installed (due to not wanting to break what's not already broken.) Are these plugin updates the source of my problem? Another thing I did recently was to install a plugin called "Who Is Online". I have since deactivated this plugin. Any ideas on how to stop this from happening again?