Millions of blogs hosted on WordPress.com can breathe a sigh of relief – although a hacker did manage to break into thousands of sites and publish a make-money-fast advert, it wasn’t because of any vulnerability on the WordPress.com site itself.
Instead, it seems users had simply been careless with their password security.
The alert was initially raised by The Hacker News (THN) and Sucuri, after some blog owners received messages from WordPress.com telling them that their passwords had been reset.
One affected WordPress.com user told THN that he had discovered hackers had published a page containing a money-making advertisement (pictured below).
A Google search for
site:wordpress.com "Im getting paid!"
finds evidence of thousands of sites that suddenly found they had unwittingly published “Im getting paid!” webpages.
Although some theorised that the hacker may have exploited a vulnerability on WordPress.com (which would be a very serious problem as the WordPress.com infrastructure is used by many of the world’s most popular blogs and news sites), the truth seems to be rather more pedestrian.
Barry Abrahamson from Automattic (the company which runs WordPress.com) told Naked Security that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was “people sharing the same password across multiple services.”
According to the firm, it spotted the problem quickly, notified affected users and reset passwords.
It’s good news that the sites hosted on WordPress.com weren’t hacked due to a vulnerability. After all, many blogs choose to host on WordPress.com in order to avoid the headache of managing their own security and updates on self-hosted WordPress installations.
So, remember folks – please use different passwords for different websites. If you use the same password in multiple places, it only requires your password to be stolen in one place for it to have an unpleasant impact on your other online activities.