Sites defaced as WordPress thousands are left unpatched
A vulnerability in WordPress has led to attacks against hundreds of thousands of webpages
Hundreds of thousands of webpages have been defaced after hackers targeted WordPress via a "severe" bug that was patched last month.
Security firm Sucuri notified WordPress of the content injection bug on 20 January, though the CMS and blogging platform developer waited to warn the public in order to give time for hosting firms that use the software to install a patch. WordPress rolled out a patch to all users on 26 January.
"We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," the company said at the time.
WordPress said most of the hosts it works with had installed the patch or had other protections in place within days of the security notification being received. As of the beginning of February, WordPress said it had seen "no attempts to exploit this vulnerability in the wild".
That appears to have changed in the intervening ten days, with other security firms reporting attacks had started. Security firm WordFence reported it has seen 20 different hacking groups using the flaw to target 40,000 sites that remain vulnerable.
"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said founder Mark Maunder in a blog post. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."
Defaced sites are left with images bragging that the hacker "was here", with similar statements left in the title of the page so it shows up in Google searches. Maunder said any sites that suffer the flaw will "continue to be defaced and re-defaced" unless they upgrade to WordPress 4.7.2 or, rather handily, sign up for WordFence's firewall service.
Sucuri also reported multiple instances of the vulnerability being abused, but said many WordPress users are not updating their sites, either because they're unaware of the issue or unable to update for technical reasons. "This is leading to a large number of sites being compromised and defaced," said Daniel Cid, founder and CTO Sucuri.
"Attackers are starting to think of ways to monetise this vulnerability," noted Cid. "Defacements don't offer economic returns, so that will likely die soon." Instead, he predicted hackers would start to use the technique for SEO spamming campaigns or to spread malware.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now