Admission ticket for the Seccon 2016 final competition in January 2017 in Tokyo. (Photo by Tomohiro Ohsumi/Getty Images)

WordPress Bug Allows Hackers to Alter Website Content

A WordPress bug called REST API Endpoint allowed more than 67,000 websites to be hacked over the past two weeks, but the company  has since rolled out a new version of the content management software with a patch to fix the problem, according to bleepingcomputer.com. The bug enabled hackers to infiltrate back end systems and change or inject words within content.

Although web security firm Sucuri informed WordPress back on Jan. 20 about the vulnerability to sites using 4.7 and 4.71 versions, the two companies decided to wait until last week to publicly announce the bug until it could successfully roll out a fix in WordPress 4.72, said Sucuri security researcher Marc-Alexandre Montpas in a blog post. If your website is one of the 27 percent of all sites that use WordPress–Data Center Knowledge being one–Sucuri highly recommends that you update to 4.7.2 as soon as possible.

We have here, but not before a few headlines on Data Center Knowledge were altered to read “Hacked by (insert group name here)”. Sucuri also warned that version 4.7.2 may not automatically update even if that feature is turned on in WordPress.

“Due to this type-juggling issue, it is then possible for an attacker to change the content of any post or page on a victim’s site,” Montpas wrote. “From there, they can add plugin-specific short codes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads, etc.”

Although thousands of site were compromised, and until recently continued at the pace of 3,000 defacements a day, according to bleepingcomputer.com, it would have been even more widespread had the public been notified of the bug right away.

“We believe transparency is in the public’s best interest,” WordPress Core Contributor Aaron Campbell wrote in a blog post. “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”

For additional information about the bug, visit The Whir.

Also, in the upcoming Data Center World conference April 3-6 in Los Angeles, former renown hacker Kevin Mitnick will present tips for spotting and preventing such attacks during his keynote address.

Get Daily Email News from DCK!
Subscribe now and get our special report, "The World's Most Unique Data Centers."

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

About the Author

Technology writer and editor Karen Riccio spent 15 years as managing editor for Data Center Management magazine, published by AFCOM – a leading industry association whose mission is to advance the professional development of individuals in the field of data center and facilities management. She is currently content editor for AFCOM.com as well as its weekly newsletter. Karen also oversees the Industry Perspectives section of Data Center Knowledge. She can be reached at karen.riccio@penton.com.

Add Your Comments

  • (will not be published)