Tens of thousands of WordPress websites and blogs have been attacked and defaced by criminal hackers after a vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed last week.
Many sites have automatically upgraded to version 4.7.2 but millions did not, leaving them open to attack. Immediately after the bug was disclosed, multiple public exploits were shared and posted online, fuelling over 800,000 attacks in a 48-hour period – a number that tech news site Bleeping Computer estimates has now risen to over 1.5 million.
“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites,” said Mark Maunder, WordFence’s founder and CEO.
WordPress is urging site owners to install the latest update.
How did it happen?
The attack has been traced to a flaw in an add-on that was introduced in versions of WordPress released at the end of last year.
According to security firm Sucuri, which told WordPress about the vulnerability on 20 January, attackers were able to craft simple HTTP requests that allowed them to bypass authentication systems and edit the titles and content of WordPress pages.
The importance of installing patches as soon as they are released cannot be overstressed – even if you think your website is not likely to be targeted. The fact is that all websites are at risk because criminal hackers do not usually focus on specific sites but use automated attacks to seek known weaknesses in order to steal data.
Patch management is one of the services offered in the Website Support solution Pink Chameleon Offer