As I previously wrote, I recently had to change my password on over 300 Web sites because my default “medium-security password” was compromised. The compromise was caused by a bug in the WordPress blogging platform which can result in inadvertent disclosure of information when content is pasted into the WYSIWYG text editor built into WordPress.
In a nutshell, sometimes when you paste text into the editor, the editor inserts an invisible copy of the pasted text. You won’t see the invisible text at all in the editor; it’s visible in the HTML view, but WordPress users often post without every looking at the HTML view (that is, after all, the whole point of the editor). Even if you do look at the HTML, you probably won’t notice the hidden text block unless you know to look for it, which most people obviously don’t. It is not clear whether this invisible copy is inserted in addition to a visible copy of the same text, or whether it’s inserted instead of the visible copy you intended.
Although the text is not visible in the editor, it is in the HTML, which means that when you publish your blog entry, the hidden text goes along with it. Search engines will happily index it and even show you snippets from it in search results if you search for a keyword that’s found in the hidden text. Furthermore, syndicators of your blog that strip out HTML style attributes (including, e.g., the feed syndicator at LiveJournal.com) will render the previously invisible text for the world to see.
![[Digg]](http://blog.kamens.us/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://blog.kamens.us/wp-content/plugins/bookmarkify/facebook.png)
![[Email]](http://blog.kamens.us/wp-content/plugins/bookmarkify/email.png)
