TECHNOBABBLE

TECHNOLOGY | SECURITY | NEWS

More than 100,000 WordPress sites hacked via REST API zero-day

WordPress was updated on January 26th to patch three separate security vulnerabilities. At the time, the folks at WordPress advised that you should update immediately which is fairly normal (and recommended). What you may not know, is that a fourth vulnerability was kept private for several weeks. Why wasn’t it publicized? Security through obscurity. An unauthenticated privilege escalation vulnerability was found in a REST API endpoint. The flaw that was found by the team at Sucuri, potentially allowing malicious users to compromise any out of date installation of WordPress fairly easily. In this case, failure to disclose the vulnerability likely protected millions of users. More than 100,000 sites have been compromised after failing to update. That’s extremely important to note… the sites were not compromised prior to the update being released. They were compromised after the update was released and prior to the admins actually deploying the update to their sites. When the exploit became common knowledge, they no longer had security through obscurity.

We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

What can you do to ensure you’re protected? Well, you need to keep your WordPress site up to date. Enable automatic updates and ensure they deploy successfully. Keep your plugins up to date. Keep your themes up to date. Finally, invest in a quality security plugin like WordFence or Sucuri and consider using a reputable WAF.

Regarding a recent comment advising not to update because “the old version is probably secure” and “the new version might create an additional attack vector”…

Can new exploits be introduced in a WordPress core update? Of course they can. However, not updating your site because you “think” the current version is secure is a severely flawed line of thinking as updates are released to patch known and easily exploitable flaws. The fact of the matter is that short of being the person who discovers the flaw, you just won’t know if there is a currently unknown exploit in the version of WordPress you’re using… so, it’s best to keep WordPress core files, themes and plugins up to date whenever possible.

  2 comments for “More than 100,000 WordPress sites hacked via REST API zero-day

  1. John
    March 22, 2017 at 6:15 AM

    I happen to disagree with immediately updating WP as soon as there is an update available. Doing this for version 4.7.1 is what allowed more than 100k sites to be hacked. A significant amount of time passed between 4.7.1 to 4.7.2 when the vulnerability was corrected. So, please explain to me how your statement of it being important to keep sites updated would have helped here. If you have a WP site that is running on a stable and secure version of WP and the same can be said for all of the plugins being used then there is no reason to rush to do updates. You’re much better off to let someone else to the testing and wait until you’re sure the versions you’re updating to are secure. 4.7.1 is not the first time that this has happened and will likely not be the last. So you go ahead, updated you site immediately when updates are available and hope this does not happen again.

    • March 22, 2017 at 11:54 AM

      Hi John, thanks for the comment from Site-Seeker. I always like to hear differing points of view. I’d say your line of thinking is flawed though, for the following reasons…

      1. More than 100,000 sites have been compromised after failing to update. That’s extremely important to note… the sites were not compromised prior to the update being released. They were compromised after the update was released and prior to the admins actually deploying the update to their sites. When the exploit became common knowledge, they no longer had security through obscurity.

      “Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.”

      2. Can new exploits be introduced in a WordPress core update? Of course they can. However, not updating your site because you “think” the current version is secure is a severely flawed line of thinking as updates are released to patch known and easily exploitable flaws. The fact of the matter is that short of being the person who discovers a new attack vector, you just won’t know if there is a currently unknown exploit in the wild for the version of WordPress you’re using… so, it’s best to keep WordPress core files, themes and plugins up to date whenever possible. This is considered best practice in our industry, and it’s not something I’d ever recommend going against.

      Again, thanks for the comment. I’ll make sure and share your thoughts with members of the board.

      Cheers,
      Anthony

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...

BlueBorne vulnerability places billions of devices at risk via Bluetooth protocols... Would you like to know more?
+ +