It probably feels that way to the bloggers using WordPress who have discovered that their sites have become spam buckets after a worm took advantage of known vulnerabilities in recent versions of the popular blogging software.

We don’t know how many blogs have been compromised. Still, as blogging journalist, Adam Tinworth wrote: By Saturday, tech celebs from Robert Scoble to Andy Ihnatko got hacked. Twitter was full of the wails of the hacked, and the retweeting of the warning.

Are WordPress blogs more likely to be hacked? 1


The worm registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide when you look at [the] users page, attempts to clean up after itself, then goes quiet, so you never notice while it inserts hidden spam and malware into your old posts,” according to Matt Mullenweg, founding developer of WordPress.

Automatic, the company behind WordPress, discovered the latest vulnerability on 11 August and offered a patch the next day. Blogs hosted on were running the latest version of the software and were unaffected. You know a joke when a site or bit of social media software like WordPress becomes successful when it gets spammed. A positive spin on this worm is that WordPress has become successful enough to warrant the attention of coding malcontents. Still, it’s difficult for those affected to find a silver lining when they have to spend hours cleaning up compromised blogs.

Security analyst David Kierznowski at BlogSecurity has a list of more than two dozen known vulnerabilities in all versions of WordPress. A 2007 survey of 50 WordPress by Kierznowski found that only one of the sites was running the latest version of the software, leading him to warn that the WordPress community was vulnerable to attacks. So maybe the question isn’t whether WordPress is more likely to be hacked but whether WordPress users are less likely to upgrade.

Related Articles : 

Mullenweg told the Guardian: Our success has definitely brought more people into the community, both improving the code and looking for ways to exploit it. It’s unlikely an in-house Cm [content management system] project or smaller software would have the quality or quantity of developers WordPress does, and ‘security through obscurity’ of the code being private is not effective protection.

But the anxiety that this attack – one of a number in the past year against WordPress – has engendered may create enough concern for someone to spot the chance to create a rival product. Mullenweg agrees that this is a “unique opportunity” – though that may be just to tempt people to move to Automatic’s hosted offering. Kevin Anderson