It looks like I’m in the clear with the hack, assuming WordPress 3.1.4 and the plugins I’m using are safe.
I thought about it a lot and figured that I’m about as safe hosting my own WordPress as I am subscribing to WordPress. The main thing I suffer from hosting my own is that I don’t have 24/7 support for myself. But given that the world didn’t end and my blog’s situation didn’t get any worse in the 6 hours I left it alone, and I recovered OK, I think it’s possible for me to bear the risk.
Anyhow, I think we’re good here, and I’m sort of glad it happened in the Julia Child sort of sense – I was able to see that handling a hack isn’t so bad and that I was able to deal with it effectively on my own – it also gave me the opportunity to write about it, which I hope will help more folks than just me in the future.
[...] Please note that this is hardly the only active WordPress hack. This one was slick in that it was only obvious in the admin interface, regular site visitors would not have noticed anything (but their browsers would be executing the malicious code). One of the MetaFilter site members, kalessin, suffered an attack that also targeted his database. The attack and what he had to do to fix it are detailed in Part 1, Part 2 and Part 3. [...]