If you fail to upgrade immediately, malware is often installed and remains after an upgrade. I missed one site by a day and got infected. The default option to print the WP version in the <head> of each blog would certainly lower the likelihood of a script finding an outdated site. Unfortunately once hacked, truly cleaning the site requires
1. Backing up theme, making list of plugins installed
2. Inspecting theme for any hacks. (difficult if you wrote your own)
3. Deleting _all_ files
4. Walking through the wp_options table for any leftover holes (very difficult)
5. Re-install WP
6. Re-install theme and plugins.
The WP team needs to work in something like you linked to into the core.
i got hacked by something almost exactly like this like 3 months ago. They uploaded a folder called .files with about 2K html files there to each of my folders.
Probably a few million crap files all together. Was a huge pain in the ass to clear all that crap out. After that point I killed all wordpress installs, since it has such a huge target on it's back.
I got a message from my host with a link to your site, where you instructed to download and install a file...and I was 100% sure that it was just just a scam, where you sent out spam messages pretending to be hosts, with a link to the blog post where you were asking me to download malware.
In fact I was in the process of contacting customer support of my host, when I noticed the letter I got in recent history.
You should really spend a little time making it look more legitimate,
Restricting access with .htaccess is a good idea; http://www.themepremium.com/wordpress-security-restrict-wp-c...