WordPress sites flaw causes millions of defacement attacks

Monday, 13th February 2017

WordPress software has come under serious attack due to a security flaw in its software code

WordPress software has come under attack in the last week due to a security flaw in its software code. 

The flaw resides in the WordPress REST API, causing two new vulnerabilities: Remote privilege escalation and Content injection bugs. The vulnerability allows a remote attacker to alter titles and content on a user's website. 

Hackers have had a field day defacing WordPress sites across the world, with estimates suggesting 2-million pages on around 40 000 blog sits have already been affected.

Sites that have been attacked include Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. 

What to do

Owners of WordPress sites are urged to download update 4.7.2 immediately to protect their CMS areas from vulnerability.

The update can be downloaded from https://wordpress.org/download/

Realnet websites

Realnet rarely use WordPress for our websites, partially due to these regular security issues (see our Open Source vs Proprietary CMS article). WordPress is an open source platform, so it's far easier for security issues to be found by hackers. We do occasionally use WordPress Blogs, and all the WordPress sites we host have already been updated. If you have any concerns please contact us.