Internet security research and services company Netcraft has determined that sites running the WordPress blogging software are a major source of both phishing attacks and malware distribution.
Interestingly, none of the phishing sites were hosted on WordPress.com, a a large blog-hosting service run by Automattic. The founder of Automattic was one of the original authors of WordPress and the company still contributes to the WordPress.org open source project. Netcraft speculates that this familiarity explains their security record. It also shows that WordPress can be administered securely.
But the WordPress application is free and is installed on many web sites across the world. The administrators of these sites are responsible for keeping WordPress and its component parts updated, and many do not. Recent versions of WordPress can self-update, but this requires that the web server process have write access to the WordPress program files. This situation presents problems of its own, as a compromise of the web server process could allow for modification of the WordPress installation.
Insecure plugins are another security plague on WordPress and have led over the years to many blog compromises and attacks on blog viewers.
Errors in the administration of the server are usually a factor in any WordPress compromise. A common one is on shared hosting sites where one user has write access to another's wp-content directory, the directory where WordPress puts user content. This makes it easy for attackers to place phishing content and malware on the other users' blogs.
Netcraft relates the recent story of a botnet of over 162,000 WordPress blogs which was used in a DDOS attack against a web site.
The full report contains many more details, especially valuable ones if you run a WordPress blog.