I'll admit, this got me to do a quick sweep of my dozen or so WP blogs and make sure they were all updated. That said, I think its likely we're seeing TechCrunch Journalism (TM) in action.<p>Wordpress security is a pain in the keister, though. You can reduce your risk by:<p>1) Making regular backups (I like automysqlbackup.sh.) Comprehensive compromise of a Wordpress installation is only really recoverable by wiping and starting over, unless you want to find that your forgotten posts from 3 years ago are linking to viagra pharmacies.<p>2) Putting every Wordpress installation in its own DB with its own DB user. Don't use root. I have a script which installs WP for me and creates the new DB, creates the new user, and gives the user an insanely difficult password because it will never actually be typed by a human.<p>3) Making sure the Wordpress directories can't get written to by the server. I go as far as blocking the uploads, which means I have to do some chmod magic when uploading things.<p>4) If you can put up with the nuisance, protect the wp-admin directory at the web server level, for example by denying all IPs but your own, or by putting it under HTTP Basic authentication. That will cut down drastically on the number of automated probes that hit you. You don't have to run faster than the tiger, you just have to run faster than the other guy the tiger is chasing...
I've swapped out my Wordpress installation in favor of a static HTML site generated by a couple of Python scripts. Wordpress is great if you need all that power, but it isn't maintenance-free. Making things static reminded me how nice it can be to have a site that is essentially immune to attack and blazing fast, all without the overhead of dynamic page generation. It's cool that Movable Type does static generation too.
WordPress is probably the most heavily attacked web apps ever designed. If your serious about security then don't use Wordpress or always keep up with releases.
Install this simple plugin on any version of WordPress to block bad queries like that:<p><a href="http://pastebin.com/f6697b79" rel="nofollow">http://pastebin.com/f6697b79</a><p>It could easily be expanded to also look at $_POST data which is another form of attack you'll never see in your logs.
This is just business as usual. Wordpress is under attack constantly. One of my blogs has been hacked 5 times this year already.<p>Of course updating is not enough.<p>That's why the Obama campaign used Movable Type instead of WP.