Yes, I’m aware of the spam on the blog front page. The management does not hawk dubious drugs.

Daniel Franke and I just did an audit and re-secure of the blog last night, so this is a new attack. Looks like a different vector; previously the spam was edited into the posts and invisible, this time it’s only in the front-page display and visible.

It’s a fresh instance of WordPress verified against pristine sources less than 24 hours ago, all permissions checked. Accordingly, this may be a zero-day attack.

Daniel and I will tackle it later tonight after his dinner and my kung-fu class. I’ll update this post with news.

UPDATE: The initial spam has been removed. We don’t know where the hole is, though, so more may appear.

UPDATE2: It’s now about 6 hours later and spam has not reappeared.  I changed my blog password for a stronger one, so one theory is that the bad guys were running a really good dictionary cracker.