Softpedia >News >Security
Softpedia Homepage   

Thousands of Unpatched WordPress Sites Hacked via Exposed Vulnerability

That zero-day vulnerability WordPress kept secret for a week is being used by hackers on unpatched sites

Feb 7, 2017 15:21 GMT  ·  By
WordPress sites are being attacked after failing to patch security bug
   WordPress sites are being attacked after failing to patch security bug

That critical WordPress vulnerability that got everyone talking last week has already been exploited by thousands of hackers.

According to security firm Sucuri, thousands of websites have been hacked solely because the admins did not bother to make an update to their WordPress, as advised by the company.

If you remember, it was two weeks ago that WordPress came out and said that it had rolled out a security update for three vulnerabilities. The blog post was pretty short and didn’t reveal much; it just left everyone wondering why there was an update so soon after the previous one.

One week later, WordPress came clean and explained that there had been a huge vulnerability implemented along with that previous security update which allowed hackers remote unauthorized access to edit or delete WordPress pages.

The vulnerability had been spotted by Sucuri and reported back to WordPress. The week of silence on the issue was supposed to allow everyone to accept the update on their systems if the automated updating feature was shut down. That wasn’t the case, however, as Sucuri points out, as the attacks started pouring in less than 48 hours after the disclosure.

Defacing and spamming

The company has revealed that they are currently tracking four different hacking groups doing mass scans and exploit attempts across the Internet. One of the defacers has already compromised over 66,000 pages, and the number will likely increase. There are several IP addresses used for the job, and the group behind the attack seems to be w4l3XzY3. The security firm recommends blocking four IP addresses or investigating their activity via logs - 176.9.36.102, 185.116.213.71, 134.213.54.163, 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1.

A second campaign has hit about 500 pages so far, but it only started out recently. The IP address behind the defacer is 37.237.192.22, so you might want to block that one too if you haven’t updated yet. The group behind it is Cyb3r-Shia.

A third campaign has compromised over 500 pages thus far. Behind the 144.217.81.160 IP address, there are two defacers - By+NeT.Defacer and By+Hawleri_hacker.

While the defacing campaigns are likely to drop in the days to come, there are still some ways in which this security problem could be troublesome. Sucuri points out that they expect a lot more SEO spam in the future. A few exploits are already trying to add spam images and content to posts which could result in monetization opportunities for the hackers.