Security researchers at Wordfence reported on Friday that almost 2 million WordPress sites have been hacked and defaced in a recent series of hacking campaigns.
The hacks are coming from a couple dozen different malicious actors, but they all have one detail in common: all the hackers are exploiting a security hole which had been patched in the latest WordPress update.
The hackers are targeting sites which are still running on older, vulnerable versions of WordPress:
Yesterday we published numbers indicating how widespread the defacement campaign is targeting the REST-API vulnerability recently fixed in WordPress 4.7.2. If you have not updated to 4.7.2 already on all sites you operate, do so immediately. ...
Yesterday when we published our initial research on the defacement campaigns we are tracking, we published data on 19 separate defacement campaigns. (20 total, but one is the same string, just capitalized differently, so we have removed it.)
The total number of defaced pages for all these campaigns, as indexed by Google has grown from 1,496,020 to 1,893,690. That is a 26% increase in total defaced pages in just 24 hours.
All of the defaced sites were identified because the hackers left a calling card.The affected sites include Glenn Beck's personal site, a US Department of Energy site, the Utah Office of Tourism's travel.utah.gov, Vanderbilt University’s Center for Teaching, and
The affected sites include a Swedish Android blogger I know, Glenn Beck's personal site, a US Department of Energy site, the Utah Office of Tourism's travel.utah.gov, Vanderbilt University’s Center for Teaching, and many more:
- Suse Linux distribution news site news.opensuse.org defaced.
- Ireland’s National Treasury Management Agency and the website of the Irish Tourism Minister defaced.
- In Japan the website of Olympic minister Tamayo Marukawa defaced.
- Two hospitals in Japan including Ibaraki Prefectural Central Hospital and Fukui Prefectural Hospital defaced.
- The World Series of Fighting wsof.com website defaced.
At least two million sites have been impacted so far, but that's not the scary part of this story.
No, the part that scares me is that the two million sites identified so far are merely the sites we know about.
There's an unidentified and even larger number of sites which have been hacked and defaced with spam link adverts for viagra, cialis, and - well, you don't want to know.
If your site is running on an old version of WordPress, you could have been hacked and not even know it.
This literally happened to one of my clients a few weeks back, which is why tonight I have been sending emails to friends and clients, warning them of the potential danger.
I have also already fixed sites for clients, and I expect to fix a few dozen more sites before the weekend is out. (And I can fix yours.)
O O O
I am working on a longer post about how to secure a WP site, but in the meantime here are a few steps you can take to protect your site.
- First, update the core WP software. Then update the plugins.
- Second, see if you have any new posts or pages. Delete them.
- Third, type your site's URL into the scanner at Sucuri and see if you have been hacked. If you have been hacked, hire Sucuri to fix it.
- Fourth, install and configure a firewall app. Sucuri is a good option, and so is Wordfence.
There are a dozen more steps you can take to protect your site, but these three steps are enough to protect yourself from the immediate problem.
If you need expert assistance, I am here to help. Fixing problems like this is what I do for a living.