Regardless my advice to any forum owners who take security seriously:
- Reset all you staff passwords.
- Implement a policy of regular password changes.
- Review who has access to what.
- Install a second layer of authentication such as .htpasswd
- Disable HTML posts / announcements.
- Install fail2ban or similar.
- Consider using https.