More than 100,000 WordPress sites hacked via REST API zero-day

WordPress was updated on January 26th to patch three separate security vulnerabilities. At the time, the folks at WordPress advised that you should update immediately which is fairly normal (and recommended). What you may not know, is that a fourth vulnerability was kept private for several weeks. Why wasn’t it publicized? Security through obscurity. An unauthenticated privilege escalation vulnerability was found in a REST API endpoint. The flaw that was found by the team at Sucuri, potentially allowing malicious users to compromise any out of date installation of WordPress fairly easily. In this case, failure to disclose the vulnerability likely protected millions of users. More than 100,000 sites have been compromised after failing to update. That’s extremely important to note… the sites were not compromised prior to the update being released. They were compromised after the update was released and prior to the admins actually deploying the update to their sites. When the exploit became common knowledge, they no longer had security through obscurity.

We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

What can you do to ensure you’re protected? Well, you need to keep your WordPress site up to date. Enable automatic updates and ensure they deploy successfully. Keep your plugins up to date. Keep your themes up to date. Finally, invest in a quality security plugin like WordFence or Sucuri and consider using a reputable WAF.

Regarding a recent comment advising not to update because “the old version is probably secure” and “the new version might create an additional attack vector”…

Can new exploits be introduced in a WordPress core update? Of course they can. However, not updating your site because you “think” the current version is secure is a severely flawed line of thinking as updates are released to patch known and easily exploitable flaws. The fact of the matter is that short of being the person who discovers the flaw, you just won’t know if there is a currently unknown exploit in the version of WordPress you’re using… so, it’s best to keep WordPress core files, themes and plugins up to date whenever possible.

Black Pine Cyber

We banish the technobabble and the geek speak. Complex ideas, technology and information security made simple. We are Black Pine Cyber. Have questions? Contact us now!