Small offtopic nit to pick: it's the IT department's job to teach you how to use a computer? Is computer use not a standard job requirement for most posts?

Coming from a very broken organization that had this very attitude ("Excel training is IT's job!"), I pity the poor schleps in IT. I'm very glad I moved to dev.

That isn't to say that there's no middle ground here. The IT department should be able to force this usage video to run once after the imaging, unless M$ has disallowed this. Beyond that, if training is needed, it should be rolled into the project plan for rolling out a new OS and be handled by a training department or outsourced training program.

I also view tech saving tools as a hindrance to saving. I've tried a lot: Quicken, Money, Mint, the venerable Pear Budget, etc. All tools that allow you to grok where your money is going, but provide little incentive or mechanisms to curb spending. We collect all this great data and then say "huh..." and shrug our shoulders.

My parents always had a drawer in the clothes dresser that had the "house money" in it for the month. Once that cash was depleted, there was no more money for the house, period. This was real incentive to spend wisely and to see how much money was left. If there is a technology that can easily enable this "cash envelope" system, I am not aware of it.

Forgot one thing:

The hack puts a list of sites to redirect to in a .logs directory. rm these.

Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

• 1) Backup sites.
• 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
• 3) Clean up infected PHP files with this script from php-beginners.com. Thank you Paolo.
• 4) Inspect all .htaccess configs for errant redirects and fix.
• 5) Install and run the timthumb vulnerability scanner. Possible secondary vector. Thank you Peter Butler!
• 6) Update your WP install to latest and greatest.
• 7) Remove any unused plugins and themes.
• 8) Backup sites.

I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.