Oh no - half an hour after changing the Passwords still received a spam post!!!
I changed the post date backwards to 2008 to bann it from the homepage -> and you can see the new spam post here:
http://nestbau.info/your-comment-local-excelente-um-bom-tipojhge-o-o37/
How can this be possible? Is there a security gap somewhere?
Another idea - is there any possibility for other registerd members to post?
I have a few more Users as "Member" without any rights just for saving the game score and uploading images
(http://www.nestbau.info/game)
But I checked their access to the blog post script! They are not able to post or get access to the blog.
There must be some way for the spammer to get access to the blog. And I'm sure it is a script (not a real member) posting these things.
Some ideas what to do?