One thing they apparently don't get, but really should, is to get sued for this.
Copy your database(make Backup), uninstall wordpress, install it again and put your database. Tell to your hosting that your site was hacked. Use latest version of WordPress, chmod all your directories to 755 and put same Not Found and forbidden pages.
Sometimes you just have to use the IP lists from Block A Country to create firewall rules to prevent the e-jihadi's from accessing your servers at all.
Some hacker attacked your blog by RFI ( Remote File Inclusion ) and defaced your blog.
Please upgrade you blog to latest wordpress.
This is the best way to secure!
Most likely your mysql server directly. Doesnt have to be a wordpress bug.
You might also try WP Security Scan.
WP Security Scan check your WordPress installation for security vulnerabilities and suggests corrective actions. It checks:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
Yes that's right, however in this case where the WP install is already compromised, I got a strong feeling that the hackers already get around it and create something to fool the security scan.
As Whoa said, backup your database, uninstall - reinstall WP using fantastico from your cpanel (just to make things go faster) then restore your database, then use WP Security Scan plugins
Also notify your hosting admins regarding this matter and hopefully they can do something to prevent this incident happens again in the future.
Wordpress does work on making its latest versions more secure, but the problem is that so many are installing it via Fantastico in cpanel and they always offer an outdated version.