I manage my own VPS server and installed a lot of security features, but still my wp 2.9.2 was hacked. Analyzing http logs I found that within only a few minutes hacker gained access to my admin panel posting something at “wp-login.php?action=lostpassword” page. There must be SQL injection vulnerability that allows hacker to get md5 hash from database or just change it to any he wants.
I hope this will be discovered soon, but for now wordpress firewall plugin saves me.
