
Wordpress vulnerability leads to defacement of hundreds of thousands of sites - vertigogo
https://blog.sucuri.net/2017/02/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.html
======
vertigogo
Our site got hacked by a guy who tagged our blog with "hacked by muhmademad",
which seems to have a few hundred thousand results as of a minute ago.

Even large institutions and websites have been hit: Harvard, MIT,
glennbeck.com, and many more.

Make sure to update to 4.7.2 if you are running a Wordpress install of 4.7.0
or 4.7.1. There's a REST vulnerability that allows someone to bypass
authorization to update or post.

~~~
camus2
Question: Was the new REST API turned on automatically?

I don't use Wordpress, but if the answer is yes then it is completely dumb to
increase the attack surface like that.

~~~
poxrud
The new REST API is turned on automatically as of version 4.7.0.

My site was hit, as far as hacks go this one wasn't too bad. They defaced the
last post, the solution was to revert to an earlier revision and upgrade WP to
version 4.7.2.

If we would have had auto updates enabled then this attack would have been
prevented. So the takeway from this is make sure that auto updates are
enabled.

~~~
wzy
Why did you disable auto-updates?

~~~
steveb0x
Because updates occasionally break my site

~~~
wzy
Only security updates (v0.0.X) install automatically. Version change updates
(vX.Y.0) always require a site owner to explicitly install them.

If you are doing things in WordPress that break with a security patch, you
need to re-examine what it is you're doing.

------
jordif
Wordpress is used for more than 25% of internet sites. That also means that is
the CMS most hacked :)

Fortunately the WP and its community is working hard to fix the problems asap
and make new release.

The major problem is that people doesn't update the cms. I really recommend
the auto-updated and a good management of all plugins versions. If you are a
delveoper and you are taking care of several wp sites, there are many plugin
that can help you to manage the WP and plugins versions for a large number of
sites.

