Background: I am an experienced webmaster but have not spent any time with my wordpress installation. My site was compromised over the long weekend, with a handful of files modified at three different times, and a "secret" admin installed at a fourth time.
My registrations were absolutely disabled -- I needed to enable them to register a guest account so that I could then get the edit URL so then I could use the edit function on this intruder. Yet I had 5 successful registrations in the 4 days prior to being hacked, and none since.
I had several files around the site that had malicious code inserted immediately following the opening PHP tags. I had a .htaccess file that redirected non-existent file requists to index.php changed to remove that code. I had an index.php file added.
I had the "hidden" admin user, but I do not see any permalink code anywhere on my site. m The admin user did not have an email address associated with it in the database.
The files modified were as follows:
I'm not sure what version of wp I'm running, but I am running WPAU and the dashboard is suggesting I upgrade to 2.8.4
Since I don't seem to be affected by the permalink issue (and the wp blog on my site is dormant for all intents and purposes), I only caught this because I noticed changed files were about to be copied during my backup process.