A security flaw with WordPress has been exploited by hackers to turn over 162,000 legitimate websites into tools to carry out widespread distributed denial of service (DDoS) attacks.
The criminal botnet was discovered by security firm Sucuri when a popular website run by one client went offline because of a DDoS attack - a method used by cyber-criminals to send vast amounts of data requests to a website's servers that cause the site to crash.
When the attack was investigated by analysts at the firm they were surprised to discover that the requests were originating from other WordPress sites.
In just a few hours, more than 162,000 different and legitimate WordPress sites attempted to attack the affected site before Sucuri decided to block the requests.
"Can you see how powerful it can be?" said Sucuri CTO Daniel Cid. "One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows."
Cid claimed that WordPress was aware of the problem but did not plan to fix it as any changes would cause important plugins to be blocked.
"This is a well-known issue within WordPress and the core team is aware of it. It's not something that will be patched though," Cid said.
"In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma."
Cid has advised WordPress users on how best to avoid the DDoS attacks in a blogpost.