Sites defaced as WordPress thousands are left unpatched

A vulnerability in WordPress has led to attacks against hundreds of thousands of webpages


Hundreds of thousands of webpages have been defaced after hackers targeted WordPress via a "severe" bug that was patched last month. 

Security firm Sucuri notified WordPress of the content injection bug on 20 January, though the CMS and blogging platform developer waited to warn the public in order to give time for hosting firms that use the software to install a patch. WordPress rolled out a patch to all users on 26 January.

Advertisement - Article continues below

"We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," the company said at the time.

WordPress said most of the hosts it works with had installed the patch or had other protections in place within days of the security notification being received. As of the beginning of February, WordPress said it had seen "no attempts to exploit this vulnerability in the wild".

That appears to have changed in the intervening ten days, with other security firms reporting attacks had started. Security firm WordFence reported it has seen 20 different hacking groups using the flaw to target 40,000 sites that remain vulnerable.

Advertisement - Article continues below

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said founder Mark Maunder in a blog post. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Advertisement - Article continues below

Defaced sites are left with images bragging that the hacker "was here", with similar statements left in the title of the page so it shows up in Google searches. Maunder said any sites that suffer the flaw will "continue to be defaced and re-defaced" unless they upgrade to WordPress 4.7.2 or, rather handily, sign up for WordFence's firewall service.

Sucuri also reported multiple instances of the vulnerability being abused, but said many WordPress users are not updating their sites, either because they're unaware of the issue or unable to update for technical reasons. "This is leading to a large number of sites being compromised and defaced," said Daniel Cid, founder and CTO Sucuri.

"Attackers are starting to think of ways to monetise this vulnerability," noted Cid. "Defacements don't offer economic returns, so that will likely die soon." Instead, he predicted hackers would start to use the technique for SEO spamming campaigns or to spread malware.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020

The growing case for IT flexibility

30 Jun 2020