From the BBC:
A security flaw in the WordPress blogging software has let hackers attack and deface tens of thousands of sites.
One estimate suggests more than 1.5 million pages on blogs have been defaced.
The security firm that found the vulnerability said some hackers were now trying to use it to take over sites rather than just spoil pages.
WordPress urged site owners to update software to avoid falling victim.
. . . .
The vulnerability is found in an add-on for the WordPress blogging software that was introduced in versions released at the end of 2016.
. . . .
In a blogpost, WordPress said it delayed going public about the flaw so it could prompt hosting firms to update their software to a fixed version.
The patched version of WordPress was formally released on 26 January and led to many sites and blogs automatically applying the update.
However, many blogs have not followed suit leaving them open to defacement attacks.
Security firm WordFence said it had seen evidence that 20 hacker groups were trying to meddle with vulnerable sites. About 40,000 blogs are believed to have been hit.
Link to the rest at the BBC and thanks to Jan for the tip.
PG says if you have a blog that uses WordPress, make certain both WordPress and all of your plugins are updated.
WordPress should automatically update itself (but not plugins) for major releases under most circumstances. However, if you want to check on the status of updates, you’ll need to be signed in as an administrator, then click on (or hover over) the Dashboard button in the left column, then click Updates.