News & Blog

1.5 Million Wordpress Pages Hacked. Is Yours?

By Francis West on 15th February 2017

An estimated 1.5 million WordPress pages were attacked and defaced in January via a vulnerability in the platform’s REST API

What Vulnerability?

The vulnerability in the REST API (the Application Programming Interface of the REST architecture that makes up the pages) meant that unauthorised persons could modify the content of any post or page in a Wordpress website. The fact that the vulnerability was there, and that attacks were taking place through it, was flagged up to Wordpress by web security firm Sucuri on 20th January. At that point, approximately 67,000 pages had been compromised and defaced in four separate attack campaigns. The latest figures put the number of compromised pages at 1.5 million, and the number of unique affected websites at around 40,000 (because many pages in the same website were attacked in most cases).

Hackers Competing.

A patch was developed and issued to all users on 26th January, but the vulnerability had already become widely known among hackers, and it appears that 20+ hackers or even groups of hackers had been competing with each other to compromise as many Wordpress pages as possible.

Defeated The Blocking Rules.

Hackers in this case were able to get around the blocking rules that had been put in place by web hosting companies and firewall suppliers in order to prevent attackers from exploiting just such vulnerability.

Defaced Pages.

Since the flaw allowed hackers to modify any page or post in the Wordpress websites, hackers defaced pages by leaving images and messages in pages / posts saying "was here" or similar.

Defacing Doesn’t Bring Money.

Technical and security commentators have pointed out that hackers are generally looking for ways to monetise website vulnerabilities, and defacing pages does not offer this. The fear is, therefore, that next move will be for hackers to use the vulnerability remaining in any sites to spread malware, or to launch spamming attacks.

What Does This Mean For Your Business?

Wordpress is the most popular website platform in the world, and many businesses use them. A vulnerability of this kind is, therefore, a serious matter which could cause disruption to businesses, and create costs and other potential problems in trying to put the issue right. Many businesses may not have checked their web pages recently, and may not even be aware that they have been attacked, and their pages have been defaced. Businesses with Wordpress websites can, therefore, protect themselves against the vulnerability by upgrading to WordPress 4.7.2 or, e.g. signing up for WordFence's firewall service.