I have a suspicion about the cause of yesterday’s hack. devlounge.net had a similar infiltration, but by a friendly attacker who explained his methods: he accessed the wp-config.php file while the site was rendering in plain text (which I’m assuming can happen through an apache error / misconfiguration). PHP files weren’t being processed correctly, so their code was visible to all. As wp-config contains the mysql username/password, the attacker could then log into myphpadmin, change the admin email address and request a password reset.
How to protect against this? Well, WordPress 2.8 supports moving the wp-config file one directory higher (via @egwor). For sites in the root, like mine, that’s above the publicly-accessible directories, so wp-config is completely out of harm’s way. I’ve just done this, and all is working fine.
If the WP install is in a subdirectory, the wp-config can be protected by adding this to the .htaccess (from devlounge.net):
# protect wpconfig.php
deny from all
That makes it inaccessible even in plain text mode. Got to be worth doing.