Hackers have developed a distributed WordPress admin account cracking scheme
that poses a severe risk for the security of blogs whose owners select insecure
PHP scripts located on a virtual server run bruteforce (password guessing)
attacks on targeted sites. Many sites can be attacked at the same time by the
system, with results written into an associated database.
The SANS Institute’s Internet Storm Centre notes that brute force attacks
against WordPress are commonplace. The distributed nature of the latest attack
marks an evolution towards blog hacking as a web service, however, thus marking
it out from the crowd.