I work in the industry and I can say that wordpress does get hacked alot. Not really more than any other php application though, when you look at how many installation of wordpress are out there. Most of the hacks happen to people who haven't updated wordpress in months (I haven't made any changes to this wordpress site in years. Why is it hacked now? It must be your fault!) Or they have about 300 different plugins installed that haven't been updated and they only really use about 4 of them. Wordpress is not secure, but it's about as secure as you get with a php application that has as many features as it does and is updated with new features constantly.
If you don't see the users actually being created in your wordpress dashboard, then I would agree with Jonathon, check the mail headers to see where the messages are actually originating from. Also check if you have any other wordpress sites installed to your hosting account that you may have forgotten about in subfolders or in other domains. That's what I see most often. -John /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
