"Im getting paid!" - Websites hosted on WordPress hacked due to users' poor password security

Filed Under: Vulnerability

WordpressMillions of blogs hosted on WordPress.com can breathe a sigh of relief - although a hacker did manage to break into thousands of sites and publish a make-money-fast advert, it wasn't because of any vulnerability on the WordPress.com site itself.

Instead, it seems users had simply been careless with their password security.

The alert was initially raised by The Hacker News (THN) and Sucuri, after some blog owners received messages from WordPress.com telling them that their passwords had been reset.

One affected WordPress.com user told THN that he had discovered hackers had published a page containing a money-making advertisement (pictured below).

Hacked page on a WordPress.com website

A Google search for

site:wordpress.com "Im getting paid!"

finds evidence of thousands of sites that suddenly found they had unwittingly published "Im getting paid!" webpages.

Compromised accounts

Although some theorised that the hacker may have exploited a vulnerability on WordPress.com (which would be a very serious problem as the WordPress.com infrastructure is used by many of the world's most popular blogs and news sites), the truth seems to be rather more pedestrian.

Barry Abrahamson from Automattic (the company which runs WordPress.com) told Naked Security that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was "people sharing the same password across multiple services."

According to the firm, it spotted the problem quickly, notified affected users and reset passwords.

It's good news that the sites hosted on WordPress.com weren't hacked due to a vulnerability. After all, many blogs choose to host on WordPress.com in order to avoid the headache of managing their own security and updates on self-hosted WordPress installations.

So, remember folks - please use different passwords for different websites. If you use the same password in multiple places, it only requires your password to be stolen in one place for it to have an unpleasant impact on your other online activities.

, , ,

You might like

One Response to "Im getting paid!" - Websites hosted on WordPress hacked due to users' poor password security

  1. Jason · 640 days ago

    We all need to be more proactive about our personal account security. One thing that can’t be stressed enough is taking advantage of the 2FA (2-Factor Authentication) which is offered for WordPress.com. I feel a lot more secure when I can telesign into my account with an OTP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.