Ok, so I was hacked. I am paying more attention now!
My WordPress is the latest update, I’ve done some permissions changes, some new passwords, and it is working. Next up is to check the available security options that should save me time.
This Hardening WordPress codex page at WordPress is a good start.
The first is Secure WordPress. Install this to address some of the simple things. I suggest ticking all the options and checking that it does not interfere with anything. Uncheck the options only if something breaks.
The second one is WordPress Security Scan. This one checks a lot of settings and options that are addressed by the above and will give a confirmation that it’s working.
With the scanner I found that my hosted server did not have permissions to alter the table prefixes which is recommended. For an existing site this can be daunting but its not really. You will find good support at the authors site Semper Fi Web Design. There is a WordPress forum post on this topic that covers the main process for doing this manually.
There is another issue that one of the recommendations is that you should change the admin user account name to something a bit more random. This will break WP 3.1 Network Admin (the new version of MU). This may have changed check the forums post on this topic.
I also configured .htaccess for my admin directory but that created 404 errors on my MU / Network site. Since first writing this I have spent some time on why .htaccess did not work. It works now and the details can be read in a post on WordPress Admin pages and htaccess password protection.
As a result of this I found that I could use the AskApache plug-in (v4.6). The install was easy enough and I recommend it for single site WP installs. It breaks in MU or Network configuration due to the rewrite rules. Now I have to admit I have also reviewed the AskApache admin area since my ordeal of sorting this out and the author does make mention of the 404 error issue, unfortunately it is inside the admin panels which are inaccessible when the error occurs. The author also suggests checking his blog but there is no link, so I am a little vague as to where to contact or report issues. One other issue with the plug-in is that it breaks the css in FF. IE seems ok? But it is a minor issue.
There are other plug-ins but the 3 mentioned here should be sufficient to bolt it down pretty well.