[jbm]

I had originally considered the encrypted / hardcoded password, but wouldn't one simply need to grab the decryption code with the same hack (files set to 0777) and have access?

Not trying to be flippant, it just doesn't strike me as easy to do.

A determined attacker with read-write access to the server is going to be able to do whatever they want, whether or not we encrypt the PW. The only thing that could reduce the damage level would be to avoid code monoculture; the only reason someone was determined enough to do so in this case was because there were thousands of blogs hosted on that shared host, all of which share the exact same vulnerabilities.