FWIW, this blog was running WP 2.8, which is about 6 months old. Current is 2.9.1. Upgrading is trivial.<p>If you're not keeping Wordpress updated expect this to happen to your blog too.
Replacing eval with alert/echo is a nice technique, one I hadn't thought of.<p>Thankfully I haven't had to think of it in years; their conclusions (basically, more logging and keeping up-to-date) would be valid if it weren't Wordpress itself which is usually the attack vector. It's better to use something else entirely.
It really says something about Wordpress that it has its own ecosystem of malware, like an OS or browser. Except unlike an OS or browser, it just does blogs. The sensible solution is probably what people get told when they use a browser with a poor security record - 'don't use that'.
Wouldn't it make sense to let Wordpress host your blog? Lately there seems to be one too many security updates for Wordpress. Why let the customer distract themselves with Wordpress upgrades etc. Was the cost-benefit of this looked into during this removal?