Sites defaced as WordPress thousands are left unpatched

A vulnerability in WordPress has led to attacks against hundreds of thousands of webpages


Hundreds of thousands of webpages have been defaced after hackers targeted WordPress via a "severe" bug that was patched last month. 

Security firm Sucuri notified WordPress of the content injection bug on 20 January, though the CMS and blogging platform developer waited to warn the public in order to give time for hosting firms that use the software to install a patch. WordPress rolled out a patch to all users on 26 January.

"We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," the company said at the time.

WordPress said most of the hosts it works with had installed the patch or had other protections in place within days of the security notification being received. As of the beginning of February, WordPress said it had seen "no attempts to exploit this vulnerability in the wild".

Advertisement - Article continues below
Advertisement - Article continues below

That appears to have changed in the intervening ten days, with other security firms reporting attacks had started. Security firm WordFence reported it has seen 20 different hacking groups using the flaw to target 40,000 sites that remain vulnerable.

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said founder Mark Maunder in a blog post. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Defaced sites are left with images bragging that the hacker "was here", with similar statements left in the title of the page so it shows up in Google searches. Maunder said any sites that suffer the flaw will "continue to be defaced and re-defaced" unless they upgrade to WordPress 4.7.2 or, rather handily, sign up for WordFence's firewall service.

Sucuri also reported multiple instances of the vulnerability being abused, but said many WordPress users are not updating their sites, either because they're unaware of the issue or unable to update for technical reasons. "This is leading to a large number of sites being compromised and defaced," said Daniel Cid, founder and CTO Sucuri.

"Attackers are starting to think of ways to monetise this vulnerability," noted Cid. "Defacements don't offer economic returns, so that will likely die soon." Instead, he predicted hackers would start to use the technique for SEO spamming campaigns or to spread malware.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020