Sites defaced as WordPress thousands are left unpatched

A vulnerability in WordPress has led to attacks against hundreds of thousands of webpages


Hundreds of thousands of webpages have been defaced after hackers targeted WordPress via a "severe" bug that was patched last month. 

Security firm Sucuri notified WordPress of the content injection bug on 20 January, though the CMS and blogging platform developer waited to warn the public in order to give time for hosting firms that use the software to install a patch. WordPress rolled out a patch to all users on 26 January.

Advertisement - Article continues below

"We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," the company said at the time.

WordPress said most of the hosts it works with had installed the patch or had other protections in place within days of the security notification being received. As of the beginning of February, WordPress said it had seen "no attempts to exploit this vulnerability in the wild".

That appears to have changed in the intervening ten days, with other security firms reporting attacks had started. Security firm WordFence reported it has seen 20 different hacking groups using the flaw to target 40,000 sites that remain vulnerable.

Advertisement - Article continues below

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said founder Mark Maunder in a blog post. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Advertisement - Article continues below

Defaced sites are left with images bragging that the hacker "was here", with similar statements left in the title of the page so it shows up in Google searches. Maunder said any sites that suffer the flaw will "continue to be defaced and re-defaced" unless they upgrade to WordPress 4.7.2 or, rather handily, sign up for WordFence's firewall service.

Sucuri also reported multiple instances of the vulnerability being abused, but said many WordPress users are not updating their sites, either because they're unaware of the issue or unable to update for technical reasons. "This is leading to a large number of sites being compromised and defaced," said Daniel Cid, founder and CTO Sucuri.

"Attackers are starting to think of ways to monetise this vulnerability," noted Cid. "Defacements don't offer economic returns, so that will likely die soon." Instead, he predicted hackers would start to use the technique for SEO spamming campaigns or to spread malware.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020