Users of the most popular CMS in the world suffered a great security threat during the past three weeks. More precisely, the users who didn’t update their software to version 4.7.2.
To be completely frank, many of those who do update their WordPress regularly were probably hacked too. But the number of those who got hacked because they didn’t patch their CMS as soon as the new version was released is much bigger.
It was pretty unusual even for the diligent guys at WordPress to release the 4.7.2 security update only two weeks after the previous one. Something doesn’t smell good, whispered the community geeks, shaking their heads in suspicion.
And it got confirmed before long. There was a grave security issue, discovered by Marc-Alexandre Monpas, a researcher at Sucuri, and reported immediately to WordPress. It was fixed in complete silence, and the whole story disclosed a week later, as soon as they estimated that the websites admins have had enough time to update. If they were quick to hit the panic button, they would have put myriads of other users in danger.
Nevertheless, even after the issue and the warning were made public, many people missed the chance to update immediately, and thus became subjects of attacks, more or less malicious. Some triumphalist and cynical announcements such as “Hacked by NG689Skw” or “Hacked By SA3D HaCk3D” are still proudly sitting on their homepages, having defaced their content. Others have undergone more harmless attacks, such as messing up with their PHP plugins to enable code injection.
The culprit, it seems, is the REST API feature, which is turned on by default in WordPress 4.7, and can be disabled by another plugin.
WordPress has yet to make sure that no other security holes like this would open in the future. We can just hope that the 4.7.3 security release will not follow soon. But all of us have a part to act as well.
For starters, to update whenever there is a new update.