WordPress is great, but the more people that use it, the more “criminals” out there that will target it’s vulnerabilities.
Alex has a detailed write up covering his site being hacked, in My website was hacked – yours could be too! You won’t know until it’s too late.
From the article (read the whole thing):
Yesterday I found out that my website had been hacked. Not only that, but it had been hacked months ago, and I hadn’t even noticed. How did this happen?
I only found out about it because somebody was kind enough to email me to let me know that they saw this on Google
Even the best of us get hacked when we use any “standardized” platform (Windows, OS X, WordPress, Drupal, etc.).
What is WSO? It’s an environment hackers can upload to your server when they find a vulnerability, and use it to access everything on your site. When you’ve been hacked, this is the payload that a hacker wants delivered. It could site dormant for months before being activated. Ever hear about those “Zombie Computers”? WSO is like a bite from a zombie, it can transform your website into anything they want at any time, all they have to do is wake it up.
Did Alex make any mistakes? Maybe … he should have been aware of the TimThumb vulnerability, as most WordPress developers were. Is it his fault? Not really.