By taking a week to disclose the issue, hackers were detered

Feb 2, 2017 09:10 GMT  ·  By

A few days ago, WordPress rolled out a security update fixing three different bugs without revealing too much about the circumstances. Now, however, it finally reveals that they were also fixing a then-secret zero-day bug allowing remote unauthorized hackers to edit or delete WordPress pages.

It’s not just that WordPress didn’t want to alarm people of the danger they were in, but they wanted to keep hackers away from the service in order to better protect users, so everyone had a chance to update, the company explained.

The remote privilege problem and the content injection hole affected WordPress versions 4.7 and 4.7.1. and allowed all pages on unpatched sites to be modified, to redirect visitors to malicious sites and to become victims of a wide range of attacks.

WordPress decided to wait a week before explaining the situation and urged all those who have yet to make the update to do so immediately.

How it all started

The vulnerability was reported on January 20 by Sucuri after one of its researchers, Marc-Alexandre Montpas, found the troubling bug. Thankfully, no outside attempts were discovered by Sucuri before presenting the problem to WordPress. A fix was created quite rapidly, but the WordPress team felt there was a need for further testing.

Sucuri added new rules to their Web Application Firewall in order to block exploit attempts against their clients. Other companies were reached to create similar rules to protect users before the update was rolled out.

“On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users,” the company explained the extent it went to protect users.

By Wednesday most of the hosts contacted by WordPress had blocked the vulnerability, and on Thursday the security update was released. Millions of WordPress 4.7.x users were protected within hours thanks to the auto update system. Those that have auto updates closed and have yet to roll the update should do so as soon as possible.