As Wikipedia becomes more powerful, it’s facing a new vandalism problem. In recent weeks, the user-moderated online encyclopedia has experienced a string of rogue edits, most infamously when a user changed Donald Trump’s lead picture to an image of a penis, an attack that was repeated for days afterwards. Most of these edits were made from old editor accounts, which were often left unused for months or years. But the more troubling breaches came from administrator accounts, three of which have been breached in recent weeks. Admins are the rank above editor, and they do most of the actual work of maintaining Wikipedia. As a result, their accounts are more powerful, and the resulting breaches harder to clean up.

Those compromises have put the internet’s greatest store of knowledge in a difficult place. Administrators do the vast majority of the work that keeps Wikipedia running, and aside from a small staff of bureaucrats, stewards, and Wikimedia Foundation staff members, there are few authorities to keep them in check. In most breaches, the only thing that’s stopped a bad actor with an admin account is a good actor with an admin account. But as the community slowly peels back admin powers in response to account hacking, some are worried that the problem could spur a new class of automated attack that would put the entire site at risk.

As more features draw on Wikipedia, it’s become a more tempting target for vandalism

The latest string of vandalism is particularly dangerous because of how far a single Wikipedia edit can travel. The user-moderated online encyclopedia is now a major source of information for Siri, Google Assistant, and a bunch of other major knowledge graphs. That means a prank that makes it to Wikipedia can end up in lots of other places, and it will often stay there long after it’s disappeared from the source. As more features draw on Wikipedia, it’s become a more tempting target for vandalism, and the community has had to pay new attention to how to keep its accounts and pages safe.

The biggest concern is compromised admin accounts, which have been involved in some, but not all, of the recent attacks. A few days before the recent Trump vandalism, Wikipedia made two-factor authentication mandatory for certain admin accounts, but even that hasn’t been enough to stem the tide. One particular issue has been the “self-unblock” feature, which allows admin accounts to unblock themselves. It’s intended as a way for administrators to recover privileges without help from higher authority. But in the recent string of admin compromises, that feature has become a particular problem, giving vandals a way to escape other admin blocks and continue the vandalism until a higher-ranking community member can be raised.

A single compromised administrator could ban every other admin

After the second wave of Trump vandalism, Wikipedia changed the rules to stop that from happening, but it may have raised an even more complex issue in the process. As of last week, Wikipedia admins can no longer reverse blocks that are put in place by other users; once a bad actor is blocked, they’ll stay blocked. But while the new system will make it easier to contain compromised accounts once they’re identified, users have already raised the concern that it might create more profound security vulnerabilities. Removing the unblock power was referred to as “the nuclear option” within the community, and it generated significant concerns when it rolled out last week.

Critics seized one particularly troubling possibility: a kind of admin apocalypse in which a single compromised admin account uses a bot to ban every other admin, effectively seizing control of Wikipedia itself. Without the ability to unblock themselves, the admins would be locked out until a higher-level user could be summoned, putting the entire site at risk in the intervening time.

It’s an outside chance, but it’s still an alarming one. Concerns over the change are already pitting stewards against lower-level admins who are convinced by the doomsday scenario. “Removing unblockself earlier would have helped in every single one of the compromise cases that have actually happened across this network,” an editor named John Cline said. “You are taking a remote possibility (but still a possibility, I’ll give you that) and railing against an otherwise positive security change because of it.”

“I get it,” responded Swarm, another admin. “You like the positive aspect of this change, but you’re also just repeatedly rejecting perfectly plausible scenarios in which it can backfire.”

That bot attack would be particularly alarming because of how fast admins are able to work. Regulars editors are rate-limited in how fast they can make changes, but admins have no such restrictions. Using automated tools with Wikipedia’s API, bots can distribute changes across dozens of pages at once. If those same tools were turned to vandalism, it would be simple to program a bot to ban all of the admin accounts except the compromised one, effectively paralyzing the standard moderation system.

Reached by The Verge, the Wikimedia Foundation emphasized its commitment to user security. “Our Security department will be implementing new, more comprehensive password policies,” a representative said, “and working with volunteers to raise awareness of password best practices among our volunteers to help prevent this kind of vandalism and account abuse in the future.”