Editor’s note (March 2026): This article is part of the Blog Herald’s editorial archives. Originally published in 2005, it has been revised and updated to ensure accuracy and relevance for today’s readers.
Back in February 2005, a small but disturbing story spread among early bloggers. Some sites hosted on Google’s BlogSpot platform served spyware to unsuspecting visitors. The mechanism was almost laughably simple: Blogger allowed anyone to embed JavaScript in their posts, and a few bad actors did just that—injecting code that threw deceptive pop-ups at readers, telling them their browser was out of date and urging them to click “Yes” to upgrade. If they did, they installed software they never wanted.
The incident hardly registered as a major security story. It was seen as a quirk of the early internet – a small hiccup in the optimistic, chaotic days of the first blogging boom. Google eventually tightened some controls, the conversation continued, and most people forgot it ever happened.
This was a mistake. What happened at BlogSpot in 2005 was not unusual. This was a preview.
What actually happened—and why—was more important than anyone admits
The main problem was not Google’s fault. It was a structure. Blogger, like most platforms at the time, gave users considerable freedom to add custom code to their pages. This openness was, and still is, one of the things that made blogging platforms so powerful. But it also meant that anyone with a blog could—without scrutiny, without friction—give whatever they wanted to the people who visited it.
Spyware hosting blogs used manipulative pop-up sequences. A second pop-up is shown to users who clicked the “No” button. Then the third. Persistence was meant to wear people down. And it worked. Visitors ended up with unwanted software – not because they were careless, but because the environment they were browsing was quietly weaponized.
What made this particularly troubling was the discovery vector: the “Next Blog” button. Clicking on it will take you to a random BlogSpot blog. This sense of randomness, of open exploration, was one of the delights of the early blogosphere. And it had become a trap.
The lesson should have been clear: open publishing platforms have real security responsibilities for the platforms that run them and for every blogger who works on them.
Twenty years later, the problem is exponentially worse
Fast forward to today and the same fundamental dynamic is playing out on a scale that was unfathomable in 2005.
WordPress now powers about 43% of all websites on the internet. And according to Patchstack 2025 WordPress Security Report11,334 new vulnerabilities were discovered in the WordPress ecosystem last year alone – a 42% increase over 2024. Even more troubling, attackers are now weaponizing newly discovered vulnerabilities within a median of five hours for the most targeted flaws.
Sucuri, one of the major web security providers, observed more than 500,000 infected websites in 2024. And researchers tracking the DollyWay campaign – a large-scale malicious redirect operation – found that by the beginning of 2025, more than 10,000 unique infected sites were being created, with about 10 million large scripts entering WordPress per month. millions of visitors every month.
The mechanics are different from 2005, but the goal is the same: use someone’s blog as a tool to harm people who visit it.
Spyware is now smarter – and more manipulative
What easily overshadowed the 2005 incident was how crude it was. Pop-ups telling you to click “Yes”. Browser warnings that look fake even to the untrained eye.
Today’s equivalents are more complex. The ShadowCaptcha campaign, first discovered in August 2025, used more than 100 malicious WordPress sites to redirect visitors to fake CAPTCHA verification pages – the kind that looked completely regular and trustworthy. After the visitor completed the fake verification, steps were taken that delivered ransomware, data theft and cryptocurrency miners to their device.
Psychological manipulation has not changed. It is only in the costume.
Fake security warnings have been replaced with fake CAPTCHAs. Misleading browser upgrade prompts turned into convincing phishing pages. And the deception goes deeper: according to Kaspersky a 2026 malware statistics reportspyware detections are up 51% year-over-year. Credential theft is on the rise. The tools are powered by artificial intelligence. They get involved in legal proceedings and evade detection because they look so convincing.
What this means for bloggers who think they are not targeted
One of the most persistent myths in the creative space is that small blogs are safe because they’re not worth attacking.
This was never true, and the data now makes it undeniable. Hackers don’t primarily target blogs because of who you are or how influential your site is. They target blogs to your audience – people who trust you enough to visit your site and click on your links. A hijacked blog with 2,000 monthly readers is still 2,000 people who could be redirected to a scammer, infected with the scam, or manipulated into handing over their credentials.
The 2025 Melapress WordPress Security Study found that the most common threats facing WordPress professionals today are brute force attacks, plugin or theme vulnerabilities, and malicious code injection – the same key categories that were exploited at BlogSpot twenty years ago. However, the gaps remain staggering: only 27% of respondents have a breach recovery plan. More than a third of those concerned about a website breach have not implemented any activity logging.
Anxiety without action is weakness.
The question of platform responsibility was not answered
The BlogSpot incident in 2005 raised a question that the industry has avoided rather than answered: how responsible is a publishing platform for what its users serve up to visitors?
At the time, the easy answer was “not much.” Code added by individual users. The platform just hosted it.
This framework never fully stood up, and even less so today. Platforms that enable mass publishing have real responsibilities—scanning for injected malicious code, enforcing content security policies, and making it easy for users to report and respond to compromises. When a blog infects a visitor, the reputational damage extends beyond that individual site. This reduces trust in the wider ecosystem.
Google has made progress on this front with its Safe Browsing technology. The WordPress security community – Patchstack, Wordfence, Sucuri – is doing really important work. But the data shows it About 58% of vulnerabilities in the WordPress ecosystem can be exploited by a complete outsider. without any credentials. The infrastructure around open publishing has grown a lot, but since 2005 the main problem – that anyone can put code on a page that harms the people who read it – has never been fully resolved.
What you should actually do about it
If you blog on any platform, the 2005 BlogSpot story shouldn’t feel like ancient history. This must feel like a warning from twenty years ago.
Update your plugins, themes and WordPress core. It sounds obvious, but a significant portion of the most exploited vulnerabilities in 2025 were issues that were patched months ago, meaning thousands of blogs simply haven’t been updated. Attackers know this and rely on it.
Check what works on your site. Unfamiliar plugins, scripts you didn’t install, third-party widgets you added years ago and forgot about — these are all potential attack surfaces. Remove the unnecessary. Control what you store.
Use a web application firewall, enable two-factor authentication on your administrator account, and—critically—have a recovery plan. Know what to do if your site is compromised tomorrow. Know how to remove it, how to clean it, and how to communicate with your audience.
And perhaps most importantly, understand that your blog is not just your platform. It’s an environment where you invite people. People who visit you trust you. This trust is not just a content relationship. This is a security commitment.
That was in 2005. Now it is more true.
A story that is always bigger than it seems
Looking back at that 2005 BlogSpot story, what’s striking isn’t the event itself, but how clearly it outlined the contours of everything that followed. Open platforms. Personal code. Undoubtedly visitors. Handling requirements. The gap between platform freedom and platform responsibility.
Every element of today’s blog security crisis was seen in miniature in that episode. Tools are now more sophisticated, larger in scale, and the potential damage is more serious. But the basic truth has never changed: If you publish on the Internet, you are responsible for what your site does to the people who come to read it.
This liability is not diminished by the fact that the platform is open, the code is contributed by someone else, or your blog is small. It goes with the territory of having an audience. And bloggers who understand this—those who treat security as an ethical obligation rather than a technical chore—are the ones who deserve the trust they’ve earned.
