[callmeed]

I can confirm. We host a lot of WordPress blogs (for photographers) and our scans have have detected an uptick in installs infected with malicious files. I'm not sure if it's the same attack mentioned in the article but the last 2 weeks have been the worst I've seen.

In my experience people get compromised due to bad folder permissions or old versions of WP. I hadn't considered brute-force password attacks.

[bigiain]

Can I suggest it might be worth investigating the "Wordfence Security" plugin?

I use it pretty much everywhere that I have anything to do with WordPress - I'd noticed an uptick early this week of random ip addresses from far-flung countries getting locked out after 5 login attempts or multiple lost password attempts.

(One site in particular gets a _lot_ of drive-by login attempts - it's got the word "anonymous" in the domain, which I suspect attracts mostly the wrong sort of traffic... Wordfence is locked down _much_ tighter on that site.)

[krapp]

I was just about mention this ... I'm using Wordfence on a wordpress site right now, already had logins limited.

And the 'live scan' is scary -- constant attempts to login as 'admin'.

[eksith]

I've lost count of how many times I've seen people chmod /wp-content/upload to 777. I blame laziness, stupid presets in "one-click" installations and silly how-to's found all over the web.

[disgruntledphd2]

I was setting up a Wordpress site for someone once (I'm not really a web developer). I downloaded an image gallery plugin and installed it locally. Wouldn't work. I went to the instructions and found that it required wp-content/upload to be set to 777. I abandoned the plugin soon after. However, if I hadn't been running Linux for a year before that, I'd probably have just done it.

The difficulty with the democratisation of software and web development is that inevitably, people will make mistakes like this. The sad part is there's probably millions of articles explaining why this is a bad idea, but the people most at risk will never see them.