A security flaw in the WordPress blogging software has let hackers attack and deface tens of thousands of sites.
One estimate suggests more than 1.5 million pages on blogs have been defaced.
The security firm that found the vulnerability said some hackers were now trying to use it to take over sites rather than just spoil pages.
WordPress urged site owners to update software to avoid falling victim.
More than a million pages have been defaced by hackers exploiting the bug, say security experts.