Report reference - http://www.gmanetwork.com/news/story/328277/scitech/technology/compromised-wordpress-blogs-used-in-ddos-attack
The problem is not using wordpress or any other but not doing what is explained on that statement. There are a huge amount of people that just installs wordpress or other CMS for testing or because someday they decided it must be cool to have own website but they don't maintain it. Sometimes because they just lost interest soon and abandon the project, sometimes because they have not the required knowledge to maintain a site, sometimes because they just don't care, ... It is totally irresponsable to stop maintaining a site and can lead to the site being used on illegal activities. It hurts the rest of the members on shared hostings.
Agreed. All one has to do is to check out Hacker Forums, and they deliberately target WordPress because of its known vulnerabilities. It's become a fun sport for script kids to hit WordPress blogs. Particularly for beginners as an exercise to find their way into Admin accounts. Great Zimmer is posting it here where every one can see it, as I don't think that one could ever overstate the vulnerabilities of WordPress. Most of all, to neglect the blog while comments are enabled. Not to upgrade software, and to make blog posts with the Admin Account. Owners need to be vigilant for the comments that are made, particularly when there are disagreements. As the latter can lead to "acts of revenge" in the form of hacking or DDoS'ing. One just can't leave a WordPress Blog unattended.
it's not just wordpress this applies to either. that goes for any and all popular software. i recall conversing with a hacker some years ago. whenever she would get info on an "exploit" for the current version or a popular version of a program\script\service that has yet to be updated or patched, she would just google and search for websites that have the version the exploit can.. well... exploit, and just hack it for funsies.
quite immature, but it happens none the less.
Got to stay in practice, I guess.
yes, and as previously mentioned... keep your software updated. that one of the most useful tips i can give you to keep your website and computer safe from malicious internet users. it's not just recommended by me either, it's recommended by anyone who knows what they're doing. so do it!
Yeah I got my WP once hacked too with an index page. This botnet army seems like a scary idea
Don't forget to back up all the data of wordpress site regularly to prevent unrecoverable database lost. Update the software script once a week if it is available is also very important stuff to do for wordpress users. If you do not want to do that you should use wordpress managed hosting or move to blogger for the best protections against ddos attacks and other hacking methods.
While we are at giving tips, one I've found that makes great sense to me, since that seems to be one of the main ways hackers get access to Wordpress sites or Forums, is to change the "Admin" account to a new name. I.e. don't make blog posts with the Admin account for starters. Create another account that is completely neutral and unrecognizable as Admin, maybe starting with the middle of the alphabet and give it Admin power. Then get rid of the Admin account or rename it to something else.
Another tip is to always turn off the "lights" when you go on holiday, i.e. disable comments and registration of accounts. Or if you can't afford to let your Website be inactive, make sure you've got able staff to look after it for you (like at Frihost ).
Hackers thrive on Websites that have no activity in them and/or have lots of spam in the comments. It's the equivalent of a label - "hack me please".
Some simple things like removing admin and hiding obvious information makes your wordpress significantly stronger.
Plugins should be also kept in check. Some plugins get sold and new users might be malicious thinkers. So always prefer to use open source plugins.
One last thing, keep it updated.