Towards the end of 2016, WordPress 4.7 “Vaughn” was released. Over the next couple of weeks, point releases were made available, fixing the bugs that accompany with any new software. But WordPress 4.7.2 also fixed a critical security vulnerability that allowed attackers to edit or publish posts on a WordPress site without authentication. Unfortunately, large numbers of WordPress sites have not been updated and remain vulnerable to the attack.
A mistake in the way the REST API handled requests opened a door for attackers, and they haven’t been shy to exploit the opportunity. With an easily crafted request to a WordPress site’s API endpoints — which are active by default — an attacker can deface posts and publish new posts of their own.
As a result, millions of web pages have been defaced. Some of the defacements are pure vandalism, but attackers quickly began to exploit the vulnerability to make money.
SEO spam is a commonly used “black hat” technique to improve the search visibility of pages that would otherwise not rank. These pages are often associated with malware, affiliate scams, and other unsavory money-spinners of the dark online economy.
SEO spam of this type works by introducing links and content onto as diverse a range of pages as possible — particularly sites with a good reputation. To search engines, it appears that the linked-to pages are super popular, and they’re given more prominence in search.
The opportunity presented by the WordPress REST API vulnerability is obvious. It’s easy to exploit, can be automated, and there is an almost endless supply of vulnerable sites.
At the time of writing, most WordPress sites have been updated to WordPress 4.7.2 and are no longer vulnerable. But a frustratingly large cohort of WordPress sites have yet to update. Several weeks after the patch that fixed the vulnerability was made available, security researchers still regularly see sites compromised because they’ve failed to update.
Our advice here is simple:
- If your site has not been updated to WordPress 4.7.2, update immediately.
- Turn on automatic updates. Sites with automatic updates activated will apply minor upgrades and security patches without any intervention from the site’s owners. It’s the best way to make sure a site is always running the most up-to-date and secure version of WordPress.