Yeah, I see your points. I just think there should somehow be a way to block hackers/script kiddies more efficient.

Their only goal in creating hidden admin users is to leave themselves a backdoor to be exploited later. If you find the hack, clean up the files, and upgrade the software, you might not notice those hidden admin users in the database. The current exploit even went to the trouble of trying to conceal its new admins on the user interface, using javascript trickery.

Creating a randomized table name prefix might help, but unfortunately straight SQL injection isn’t a common problem anymore with WordPress. The exploits that have been found most often are privilege escalation ones, where a user can gain abilities they should not have, and this then usually results in execution of arbitrary code. A random table prefix won’t help there. Also, it’s a “club” solution, it only protects by the lowest hanging fruit principle. If every blog implemented it, then it’s no longer any good, since the hacker could code around it if necessary.

A notification system would indeed do what you want, but it seems like you’d just get notified after the fact. Also, it really falls into plugin territory. There are security plugins that monitor the filesystem and can notify you of new files and/or file changes on a regular basis. These *would* have caught this hack and notified the user rather quickly. Not sure that should be in core though.