Fact: If you try to leave a comment on a wordpress.com blog with an email address you have registered to a wordpress.com account, it will ask you to sign in.
Fact 2: wordpress.com allows you to have custom domains (I think this might be a paid feature, not that that matters).
Fact 3: If you combine the previous two facts, WordPress asks you to log in on the custom domain you are currently trying to leave a comment on.
Yes, that’s right. WordPress is asking you to put your account password into a third party domain simply on the strength of it telling you that it’s a wordpress.com blog, honest for reals.
But I guess it’s OK. There’s totally a WordPress icon on the page where it asks you to log in, and there’s no way anyone could fake that.
Practically every phishing email I get has “/wp-content/” in the “click here” URL.
“wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog”