In case you missed it, WordPress 2.8.3 has a programming error which allows anyone to reset your administrative password and takeover your WordPress blog. With administrative access, the hacker could destroy your content, lock you out, and repurpose your website for wrong doing, spamming, pornography, slander, or whatever they want. Upgrade to WordPress 2.8.4 immediately! Learn more at darknet.org.uk.
This vulnerability could be prevented by securing the /wp-admin directory.
BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem. See our advisory here for details. [Source, BlogSecurity, WordPress <= 2.8.3 Reset Admin Password Vulnerability]
See details of the exploit at milw0rm.
Time to take pause from programming and do a quick upgrade to the blogs. Looks like someone is trying to do bad things. Alright. Everything is backed up. Next step, remove users that are obviously malicious. I have turned off allowing users to register since I don’t currently use features that would ever require you to be logged into RealityMe. If I accidentally deleted your account and you want to be registered at RealityMe just let me know. Deleted 40 megs of data that had accumulated in wp_sk2_spams and wp_sk2_logs. I have 52078 comments in wp_comments marked as spam constituting roughly 34.1mb. I can find no dependencies between the wp_comments table and any other data so those comments are being deleted. As an aside, I have 3770 comments that are approved constituting 1.8mb of data. I used "delete FROM wp_comments WHERE comment_approved = ‘spam’" so if your comment was inadvertently marked as spam and I didn’t catch it, my apologies. My final step today is to upgrade from 2.6.2 to 2.6.3.