This video is 1280 x 720 – watch it in fullscreen to see the details.
This is, sadly, a report about the present. I read reports yesterday about an attack on all versions of WordPress except the very latest – 2.8.4. I have a bunch of sites that I maintain and many of them were pretty easy to upgrade by using the built-in automatic upgrade feature. I also have a few sites that are old and inactive. Those needed to be upgraded by hand. The thing that I noticed on ALL of the sites that were not already running 2.8.4 was that they had hidden admin users on them. The sneaky thing about that is that you may not have any other symptoms besides these hidden accounts and then think you are safe once you’ve upgraded. The are, essentially, back doors left on your site to be exploited later. So you have to make sure to get rid of them. The process is a little tricky – at least it’s not a typical WordPress user operation so I’ve documented two ways to do it in this screencast.