I had an attached comment with this information but want to break it out as it will likely be useful to people without lots of time dealing with the various ways Wordpress can/will (mostly will) get attacked.<p>First: Double-check your folder and file permissions. A lot of plugins like and love very open folder permissions so they can write stuff everywhere. Be very careful with changing permission on core Wordpress stuff! If for instance you give the web-server write permissions to the core, you're going to have a bad time. This is made worse by the fact that many people are used to using the wp-admin 'upgrade' functionality. In my view this is beyond awful. A lot of WP exploits would be made much harder by just not allowing this and manually upgrading the Wordpress core. It's very easy anyway.<p>Second: Disable the following PHP functions in php.ini on the server hosting Wordpress<p>disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source<p>You can just add that line anywhere in the php.ini, restart apache (or php-fpm if you're using that) and you've suddenly blocked 99% of the Wordpress and greater PHP attacks against your server. Essentially you'll run across some PHP scripts eventually that want one or more of those permissions. If they do, run them on a server separate from Wordpress and also keep the application way up to date (or you'll have a bad time).<p>Third: Install and keep this handy <a href="http://wpscan.org/" rel="nofollow">http://wpscan.org/</a><p>WPScan allows you to do a URL/folder based wordpress scan looking for vulnerable files, wordpress versions and plugins. It is a very good tool to keep handy if you host lots of Wordpress sites.<p>Oh, one more little thing. The timthumb vuln issue someone mentioned below... keep this handy for newest version <a href="http://timthumb.googlecode.com" rel="nofollow">http://timthumb.googlecode.com</a><p>Any questions?