1.5 million WordPress Sites Defaced

By MDL on February 10, 2017

A security flaw has led to the defacement of more than 1.5 million WordPress sites within the last ten days.

WordPress update 4.7.2, released on January 26, quietly included a security fix for a vulnerability that allowed attackers to bypass authentication and alter content on WordPress sites running versions 4.7.0 or 4.7.1. WordPress delayed the announcement of the privilege escalation vulnerability for one week in the hopes that more users would update before WordPress publicly disclosing the vulnerability on February 2nd.

Sucuri, the company that handles malware monitoring and security scanning for WordPress, discovered the vulnerability and quickly added rules to their Web Application Firewall (WAF) to block those working to exploit the flaw. WordPress also worked with other companies like SiteLock, Cloudflare, and Incapsula to create rules to protect more users before disclosing the vulnerability. WordFence, the creator of the WordPress WordFence security plugin, deployed a firewall rule to protect their Premium users on February 1 and began logging instances of blocked exploits related to this vulnerability.

Attacks slowly increased over the week, peaking on February 6th when attackers found ways to bypass the firewall rules set by WordFence and other firewall companies. WordFence reports that over 800,000 exploits were recorded in a 48 hour period in an apparent flood of site vandalism. Attackers have been leaving their calling cards on sites they have been defaced, adding the phrase “Hacked by ___,” perhaps as a way to keep score of which attacker was able to alter the most sites.

WordFence this calls this privilege escalation vulnerability “one of the worst WordPress related vulnerabilities to emerge in some time.” Sucuri CTO Daniel Cid warns that the appeal of defacing sites may be waning, and instances of remote command execution (RCE) attempts have been increasing. “Defacements don’t offer economic returns,” Cid writes,  “What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize.”

For more technical details on this topic, read our CSCC vulnerability report, Privilege Escalation Vulnerability, WordPress .





Sucuri (RCE)


Bleeping Computer