This is how I solved the problem.

1. Create a text file named ".htaccess" (without the quotes and begining with .) and put the following contents to it:

order deny,allow
deny from all

allow from xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is your IP address. If you need to add more IP addresses, just add new lines with allow from xxx.xxx.xxx.xxx

You can check your IP here http://whatismyip.com/

2. Upload this file to the following directories:

/dap/admin/
/wp-admin/

3. Change all the passwords of the WP and DAP admins

4. In Paypal regenerate your
Paypal API USER,

Paypal API PASSWORD and
Paypal API Signature

and put the new ones in Setup -> Config

5. If your users login through WP (it is unlikely but possible), they can login at yoursite_dot_com/wp-login.php


DAP has nothing to do with this security issue.