This week, tens of thousands of WordPress sites were compromised by a vulnerability with the new WordPress Rest-API, leading to the defacement of millions of pages.
According to the WordFence Blog;, several million pages – and counting – had been indexed by Google containing the calling card of the attackers.
Amongst those affected were a large number of high-profile websites, serving as a stark reminder that any WordPress site can be vulnerable, especially if it is not kept up to date.
On this occasion, the vulnerability allowed content to be injected into existing posts and pages, hence the widespread defacement of websites. It does not appear that the website files themselves were compromised, nor were any sensitive details such as login credentials breached. It did however leave an almighty mess for site owners to clear up, testing their disaster recovery and backup procedures.
Sites which were up to date – 4.7.2 at the time for writing – were not affected as the vulnerability in question had been addressed in a security update. Websites which had autoupdate enabled had typically already silently updated and so were not affected.
The lesson to be learnt here is two-fold:
- Have a robust backup procedure in place. Make sure the backups are stored elsewhere, and that they have been tested to ensure that you are able to roll back should the worst happen.
- Ensure WordPress and all plugins are kept up to date. The vast majority of hacked WordPress sites are the result of updates not being applied.
If your website has been hacked, you aren’t sure how to put a robust backup procedure in place, or are just looking for peace of mind from a thorough a security audit, get in touch; and we’ll be happy to help.