Earlier this month, WordPress confirmed delaying the announcement of the found vulnerability in an update recently released. Sucuri is the firm that actually found the vulnerability, but WordPress confirmed and disclosed reasoning as to why they did not announce the vulnerability sooner.
What exactly does this mean For a WordPress Website Owner?
For those of you who don’t live in the deep, mysterious world of CMS and HTML, understanding what this exactly means for WordPress sites is not necessarily easy and can be confusing & scary. Essentially, what has happened is this:
- A security flaw was found within a WordPress update
- The vulnerability of this security flaw was discovered and announced
- Some attackers (often known as hackers) were aware of this and used it to their advantage prior to the announcement. However, this then lead to an overwhelming amount of attackers being aware of the issue. They began to attack and compromise WordPress sites at an alarming speed.
- Over 1.5 million unpatched WordPress sites have now been attacked/affected because of this vulnerability/security flaw.
How many attackers/hackers have taken advantage of this issue?
As of today, there are at least 20 defacement campaigns targeting the REST-API vulnerability of WordPress sites. A campaign is essentially a specific group/user after a targeted goal. However, there is one campaign that has greatly surpassed the efforts of the others. “Hacked by MuhmadEmad” is the campaign that has attacked more than 350,000 WordPress pages.
How will I know if my WordPress site has been affected?
If you are an active user of your website you should notice fairly quickly if the security of your website has been compromised at any point. Generally, the hacking of a site has the main purpose of getting the users and viewers of your site to a different web page. Hacking and attacking sites does not directly have any monetary profiles of the attackers, but if they are able to get users to a different site they have a chance at reaping the benefits. These people/computers will specifically deface the site by changing the SEO strategy, ads and links for their benefit.
These attackers don’t generally make only small changes to your site; they will usually change something big on your homepage that is extremely obvious. For example, with the MuhmadEmad campaign, they have typically exchanged out the text on the homepage to say “Hacked by MuhmadEmad” and under that, it says “Long live to peshmarga”. If you are active with your SEO efforts, you will also generally see that they have changed your title tags, to again, manipulate your site’s SEO.
Attackers for this specific instance have targeted plugins that allow for them to insert their PHP code into posts on the WordPress site. Examples of these plugins are Exec-PHP and Insert PHP.
Hackers and attackers definitely try to leave their mark with as big of a mess as possible. If you have been hacked, expect it to take quite a bit of time and effort to revert your site back to how it was prior to the hack. While you may be able to get the homepage back up and looking “normal,” going back through and making sure all necessary SEO aspects are changed to reflect your SEO strategy can take some time.
Why did WordPress not address this before the Hackers exploited the issue?
According to WordPress, they were aware of the issue but wanted to find a fix before announcing their vulnerability. They felt if it was announced before a resolution was available, they would be putting millions and millions of sites at risk of being compromised. While they did confirm the issue when the firm disclosed their findings, they were waiting to provide their users with a solution before bringing the issue to the light, and thus providing the security issue to potential attackers.
I have a WordPress site and haven’t been hacked [yet] – is there a chance I will be?
If your site is not one that has been affected at this point in time, consider yourself lucky and definitely take the steps to be proactive and protect your site. WordPress released version 4.7.2 which contains the security measures to keep your site safe from this vulnerability issue with previous versions. If you still are operating off of 4.7 or 4.7.1, update to 4.7.2 immediately.
While this has been the biggest vulnerability issue WordPress has faced in some time, as long as you have updated your site to 4.7.2 you will be able to avoid having your site attacked.
You can also contact us if you have any cyber security issues that need urgent attention.