Nearly 2 million WordPress sites have been compromised and defaced within the last few weeks due to a severe content injection vulnerability impacting the recent REST API function.

WordPress 4.7.0 and 4.7.1 enabled the REST API function by default with the intention of providing users easier access to posts, comments, and other content. However, an unauthenticated privilege escalation vulnerability found in a REST API endpoint has allowed attackers to access and modify the content within any WordPress site.

Among many other implications, hackers specifically have been disrupting SEO since late January by substituting spam images and content on defaced WordPress sites while seeking out monetization possibilities and distributing political propaganda. There have been numerous defacement campaigns as attackers compete against each other to leave their marks and exploit this bug.

In early February, WordPress quietly released the 4.7.2 patched version to address and fix this issue. The release was publicly announced a week later to allow users time to patch.  

Andrew Adcock, Senior Web Developer at Unleashed, explains, “Security vulnerabilities, like the one we saw in late January, are an unfortunate consequence of an open and fast-paced internet.” As a WordPress Specialist, Adcock advises, “Keeping your WordPress site up-to-date is the best way to prevent these types of attacks. Using plugins, such as iThemes Security, Wordfence, and Sucuri make hardening your sites security a breeze.”

As vulnerability threats continue to attack WordPress versions 4.7.0 and 4.7.1,  Unleashed encourages all users to enable automatic updates on their WordPress installations to prevent this kind of security breach in the future.

With Unleashed’ Support & Growth package, websites have 24x7x365 support, regular platform patches and updates, and ongoing maintenance year-round to keep sites secure, functional, and continuously evolving. Contact us to learn more.