More than 100,000 Wordpress websites have conscripted into a botnet which forces them them to inadvertently launch DDoS attacks.
Security firm Sucuri found the botnet when analysing an attack targeting one of its customers and traced the source of the attack to legitimate WordPress sites.
The attackers used a well-known flaw in WordPress code which meant that one attacker could use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden.
The workaround is to disable the dodgy XML-RPC functionality of a site or download an automated scanner tool from a legitimate security service provider.
Network security company Lancope said that the criminals wanted to set up a supply chain for compromised connected computers for their botnets.
CTO, Tim Keanini, said the cybercriminals continue to innovate and find vulnerabilities to exploit for their criminal activity with no end to the supply of targets.
He said that these sorts of hacks were a problem that was going to get worse, particularly as the industry moves towards the "internet of things."