The attacks began last week, and have affected more than 90,000 blogs so far. The hackers behind the attacks have combed through WordPress accounts and attempted to guess passwords via brute force.
Their program cycles WordPress accounts through 1,000 common passwords. While this tactic is useless against savvy users, enough people utilize easy-to-guess passwords to make it worthwhile for the hackers.
After the hack compromises a user's system, it drafts the blog into a botnet, a collection of compromised systems that communicate with one another and often come in handy for online attacks. Private blogs aren't too useful in this system, but blogs that are housed on Web servers are. Servers recruited into the botnet can attack a multitude of machines at once, and grow the system exponentially.