"emails querying an unfamiliar bill"
Who gets fooled by those these days? I get several a week, they'd have to do a lot more than that for me to even look closer at them.
Malware-spreaders are hacking into vulnerable WordPress-powered sites in order to drive traffic towards pages loaded with exploits. Hundreds of websites based on WordPress 3.2.1 have been compromised so that surfers directed to the Wordpress-built sites via email links are exposed to the Phoenix exploit kit, M86 Security warns …
"Malware-spreaders are hacking into vulnerable WordPress-powered sites in order to drive traffic towards pages loaded with exploits."
WordPress is the crappiest piece of software I've worked with. Most people overload it to hell with plugins and wonder why it performs like crap, and plugins contain all manner of vulns and issues.
One of the most common exploits with WordPress is .htaccess injections, throwing redirects and other base-64 obfuscated crap into there.
When migrating my old-skool "static" Webcomic site over to a blog format a couple of years ago, I considered most available options and narrowed it down to WordPress and Blogger. Blogger was much simpler for setup and configuration and for customizing my "look", but there was a huge fly in the ointment, and its name was Google. While WordPress had a learning curve like Mount Everest -- the answers in the help forums all assumed I was a hardcore CSS geek, which I'm not -- it had the advantage of having a version which I could run locally, in my own domain, without having to depend on Google's "cloud".
Luckily, while rummaging around among WordPress' various freeware custom theme designs, I found a webcomic theme that I could easily customize, and was up and running with a minumum of headache. I decided early on that I wouldn't allow comments to cut down on the amount of link spam and possible viral infection vectors (among other reasons).
I'm totally down with you on the plug-ins and widgets, though. There's a number of blogs out there whose content I really enjoy -- some WordPress-powered, some on Blogger -- but which I hardly ever visit because they're so heavily infested with plug-ins and widgets that they take forever to load and often cause my browser to totally gag, crap its drawers and fall over.
"One of the most common exploits with WordPress is .htaccess injections, [...]"
Well, that is not a Wordpress-specific vulnerability, IIRC. The .htaccess file is used by various software, so this should not be blames on Wordpress alone.
Mind you, the article did specify that an outdated version of WP is being targeted (3.2.1 -- current is 3.3.1) --so blame the admins for not doing their security updates.
The article linked to contains reference only to WordPress 3.2.1 installs being hacked, but I have seen the exact same attack, with the same iFrame redirect, being used on up-to-date WordPress core installs through a vulnerability in the fGallery plugin. Some folks will update WP but not update their plugins, and end up pwn3d that way.
The main selling point of Wordpress is that it empowers the Inept.
Or more specifically, looks simple enough to easily pitch to managers/CEOs/wtfever that are willing to trust somebody who sounds like they know what they're doing, and wear a tie.
AC, because i'm guilty of setting these up for the tie wearer.