I was recently reading reddit and came across this list posted in the netsec discussion board. If you look at the list you will notice that nearly all the exploits are from plugins.

WordPress is a brilliant platform for creating websites and blogs and is our recommended CMS of choice for novices, however like everything you have to be careful when using it.

Take a look at the mini scenario below:

Dave likes using WordPress for his blog; it’s easy to use and looks good. He also likes adding plugins, they add functionally and enhancements to his site. Dave was searching Google one day when he found some cool looking plugins which he promptly added to his site, the next thing he knows is that his site has been hacked.

When adding plugins to your WordPress installation you need to be very careful about where you found them and what they do. Just because it says it does one thing doesn’t mean that it won’t have a malicious script within it, or has been coded by a novice and has security holes. Always keep your WordPress installation and any plugins up-to date to help combat exploits.

If your WordPress site has been hacked recently (up-to a month ago) you can simply delete your public_html and restore from a R1Soft backup, making sure to update everything once it has been restored. If your site has been compromised longer than that you will have to clear it out manually and reinstall a fresh copy of WordPress.