Due to its popularity as a blogging platform, WordPress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been a spate of automated attacks which take advantage of recently discovered security vulnerabilities in WordPress.
To date, WordPress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.
One such attack actually happened to me back in January, when I noticed that a blog I was hosting had been littered with tens of thousands of pages relating to pharmaceuticals and adult material. Someone had gotten access to the blog and literally created new pages, such as this one:
The blog was running the most recent version of WordPress available at the time, and I traced the entry-point back to a simple flaw in a script that was not adequately filtering user input. To its credit, WordPress released a new version that patched the vulnerability (among others) and asked its users to upgrade.
That was six months ago, but in May it happened again, this time with a new security hole and again it occurred a few days before WordPress was able to respond with an update. The problem is that most blog owners aren’t aware of the threat posed by hackers targeting blogs, as a successful attack may not tip off the blog owner in any way. The security vulnerabilities in WordPress have led to automated attacks across a very large number of blogs, often without site owners realizing what is happening.
If you are currently not running the latest version of WordPress then there is a very high chance that your site has already been compromised.
The common results of a successful attack are that a backdoor is installed (meaning the hacker can go back in and enter your blog at a later date), passwords for all users are downloaded, or spam pages are generated. At that point, you are no longer in complete control of your blog, including all the content and anything else in the same database that the WordPress install has access to.
Hackers are taking advantage of the open-source nature of the software to analyze the source code and test it for potential vulnerabilities. It is then left up to developers and users to detect, track down, and then close off the vulnerabilities in the code that attackers are using. The pattern seems to be that when a new hole is found, it is broadly exploited, then developers rush out a patch and a new release. Thankfully most of the damage inflicted by the automated exploits can be reversed with an upgrade, though in some cases you can be left with thousands of pages and images to clean up (and they are usually well hidden).
For users of WordPress, backups are essential, as are frequent updates, monitoring your blog usage and tracking the official WordPress blog and other blogs for news of any new security holes. There are also plenty of guides and applications available that can assist a site owner in further securing their blog.
It is unknown just how many WordPress blogs are infected (I have seen instances of double infection, where a previously hacked host had been hacked again), but as an indicator, across the ten or more WordPress blogs that TechCrunch and I have access to, we can see over 100 requests daily for these various security holes. Stories about hacked blogs are becoming more and more <a href="http://blogsearch.google.com/blogsearch?hl=en&q=wordpress hacked&ie=UTF-8&scoring=d" common and the ongoing concern is that the newest security hole could be found and exploited at any moment.
Update: In the comments, Anil Dash from Six Apart has linked to a post on their blog about MovableType vs WordPress in terms of security.