Tens of thousands of WordPress blogs have been attacked and defaced by criminal hackers after a privilege escalation vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed last week.
Although many blogs automatically upgraded to version 4.7.2 on 26 January, tens of thousands did not, leaving them open to attack. Indeed, soon after the bug was disclosed, multiple public exploits were shared and posted online, fuelling over 800,000 attacks in a 48-hour period – a number that tech news site Bleeping Computer estimates has now risen to over 1.5 million.
“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites,” said Mark Maunder, WordFence’s founder and CEO.
WordPress is urging site owners to install the latest update.
How did it happen?
The attack has been traced to a flaw in an add-on that was introduced in versions of WordPress released at the end of last year.
According to security firm Sucuri, which told WordPress about the vulnerability on 20 January, attackers were able to craft simple HTTP requests that allowed them to bypass authentication systems and edit the titles and content of WordPress pages.
The importance of installing patches as soon as they are released cannot be overstressed – even if you think your website is not likely to be targeted. The fact is that all websites are at risk because criminal hackers do not usually focus on specific sites but use automated attacks to seek known weaknesses in order to steal data.
Patch management is one of the five controls in the government’s Cyber Essentials scheme, which provides a set of controls that organisations can implement to establish a baseline of cyber security.