“Im getting paid!” – Websites hosted on WordPress hacked due to users’ poor password security

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

WordpressMillions of blogs hosted on WordPress.com can breathe a sigh of relief – although a hacker did manage to break into thousands of sites and publish a make-money-fast advert, it wasn’t because of any vulnerability on the WordPress.com site itself.

Instead, it seems users had simply been careless with their password security.

The alert was initially raised by The Hacker News (THN) and Sucuri, after some blog owners received messages from WordPress.com telling them that their passwords had been reset.

One affected WordPress.com user told THN that he had discovered hackers had published a page containing a money-making advertisement (pictured below).

Sign up to our free newsletter.
Security news, advice, and tips.

Hacked page on a WordPress.com website

A Google search for

site:wordpress.com "Im getting paid!"

finds evidence of thousands of sites that suddenly found they had unwittingly published “Im getting paid!” webpages.

Compromised accounts

Although some theorised that the hacker may have exploited a vulnerability on WordPress.com (which would be a very serious problem as the WordPress.com infrastructure is used by many of the world’s most popular blogs and news sites), the truth seems to be rather more pedestrian.

Barry Abrahamson from Automattic (the company which runs WordPress.com) told Naked Security that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was “people sharing the same password across multiple services.”

According to the firm, it spotted the problem quickly, notified affected users and reset passwords.

It’s good news that the sites hosted on WordPress.com weren’t hacked due to a vulnerability. After all, many blogs choose to host on WordPress.com in order to avoid the headache of managing their own security and updates on self-hosted WordPress installations.

So, remember folks – please use different passwords for different websites. If you use the same password in multiple places, it only requires your password to be stolen in one place for it to have an unpleasant impact on your other online activities.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.