If you are using ProfilePress, formerly WP User Avatar, then make sure you are running the latest patched version available, 3.1.8.
Flaws before that version in 3.x made it possible for an attacker to upload “arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled.”
