WordPress software security flaw allowed hackers to vandalise thousands of domains and websites.
The internet-wide defacement of the WordPress blog websites was caused by a now patched security flaw. Experts have said that anywhere between 1 million and 1.5 million web pages have been affected.
Web security company Sucuri was the first to report the vulnerability, claiming at the time of going public that up to four groups of hackers had defaced over 67,000 pages. As news of the security hole spread, the number of hacking groups involved quickly escalated with as many as twenty individual hacking groups taking part.
What’s the issue?
The issue is a vulnerability found only in an add-on for the WordPress blogging software that was introduced in versions that were released at the end of 2016. The problem resides as an exploit in the Representational State Transfer (REST) Application programming interface. While the latest version of WordPress has fixed the issue, the vulnerability is still hackable in versions 4.7.0 and 4.7.1 of WordPress. WordPress has urged site owners to update software to avoid falling victim.
Initially, hackers seemed to be content with just ruining the appearance of blog websites, however, one security firm said that hackers were now attempting to capitalise on the weakness and using it to try and take websites over. At the time of writing, it’s currently unknown how successful these attempts have been.
What have WordPress got to say for themselves?
That’s a good question… WordPress said in a blogpost that it had delayed going public with the flaw so it could prompt hosting firms to update their software to a fixed version before the word got out onto the wild streets of the web. Of course, for those WordPress users who use automatic updates, the patched version released on January 26 and their sites were updated automatically.