So do these three things right now:
1. Log in to your WordPress admin dashboard and check what version of WordPress you have installed. If youâ€™re running any version higher than 2.7, youâ€™ll see a text like this in the â€˜Right Nowâ€™ module at the top of your screen (if you donâ€™t see that module, check your screen options settings):
2. Change all your passwords including admin, for each user if you have multiple users and FTP access. Then check the list of users to see if there are any you donâ€™t recognize. If so, remove them.
3. If the version text on your dashboard says anything other than â€œYou are using WordPress 2.8.4,â€ youâ€™ll need to upgrade. You can do it from within your WordPress admin if youâ€™re using a recent version (if youâ€™re not, then you really are at risk). Or check your hosting service to see if they offer an easy upgrade method, eg, like 1-Click, the simple and secure method offered by DreamHost, my hosting service, or something like Fantastico offered by many others.
If you do have to upgrade, by whatever method you use, please still follow the detailed how-to guide in the WordPress Codex, the detailed documentation system for all things WordPress, paying special attention to the prep you need to do before you execute the upgrade.
Or, check out my 6 tips for upgrading WordPress including the 10-minute audio guide.
It never ceases to surprise me how some bloggers donâ€™t upgrade (Iâ€™ve been guilty, too). Yes, it can be inconvenient and a bit time consuming especially if you rigorously do the prep including disabling all plugins.
Yet the consequences for not doing it can be catastrophe. So itâ€™s worth the time invested.
If you are interested in the details of exactly what this security issue is all about, including the tell-tale signs that suggest your site may have been compromised, read Lorelle VanFossenâ€™s post with the alert about this issue. She also has links to some terrific resources on how to strengthen your blog security.