UPDATE: This post is about the hacks that happened as a result of a bug in the WordPress REST API in early 2017. It's probably no longer relevant except for historical reasons. See the Sucuri post for more details.
Have you heard the chatter over the past few weeks about the latest WordPress bug that launched a hacking spree, a veritable "feeding frenzy" in which hackers defaced millions of web pages?
I reported it here and predicted that there would be a sharp rise in the number of attacks based on it.
This post will follow up with the latest on the situation and the controversies.
As usual, the question most small business owners will ask is “Does this affect me?” or “What do I have to do now?”
The short answer is "Yes, it does affect you" but there are some simple things you can do to protect yourself completely from this attack.
For the longer answer, read on ...
1.5 Million Websites Hacked
It appears accurate that one to two million WordPress websites have been compromised. Most of these attacks have been in the form of relatively trivial page defacements where page contents were overwritten with simple hacker logos just to prove a point. What that point is I sometimes have no idea!
Some evidence of not-very-sophisticated hacking found on WordPress websites yesterday afternoon
Inevitably the attacks have since become more sophisticated. Attackers are now posting more elaborate content on the compromised pages in an effort to monetise their attacks or to execute commands remotely.
It's now been several weeks since the attacks began and many sites remain defaced and at risk to these more sophisticated attacks.
Poor Management By The WordPress Team?
Adding fuel to the fire is the controversy surrounding the handling of the entire problem.
Most reasonable reports agree that the WordPress team handled the problem extremely promptly and professionally. The sequence of events was like this:
- The Sucuri team found the vulnerability
- They informed the WordPress security team
- The WordPress team decided to delay announcing the bug so that as many sites as possible could automatically update to the latest version of WordPress (which fixed the problem)
- The team later announced the bug
- As predicted, once the vulnerability was made public the hackers jumped at the chance to deface the sites of innocent but careless owners
But there are always the complainers who could, presumably, have done it better.
Too many voices?
Thanks to improved reporting these days, everyone now gets to voice their opinion. Many commentators, like the German site heise.de, took the opportunity to critiscise the WordPress team for delaying the announcement of the problem:
"The WordPress Security Team has deliberately kept the true nature of this vulnerability secret"
Of course they did! This allowed all sensible WordPress website owners to update their WordPRess software. Installing an update of the WordPress files was all that was needed to protect against these attacks.
Just as critically, this delay also prevented the hackers from attacking more quickly.
It’s all too easy in hindsight to deplore the outcome of any decision. The fact is that a decision had to be made and I believe the WordPress team made the right one at the time. If they had immediately announced the vulnerability many more sites would have been compromised.
Allowing more time for owners to update the software meant more sites were protected by the time of the announcement and the subsequent onslaught from various hacker camps.
As I'll never tire of reminding website owners - updates are the single most effective way to protect yourself from hackers. Regularly applying updates should be part of standard operation procedures for anyone owning a WordPress website.
I'll never tire of reminding you - WordPress updates are the single most effective way to protect yourself from hackers!
Automatic Updates Are Often Disabled
WordPress has a built-in feature to automatically apply updates but some site owners turn this off for a variety of reasons; maybe they want to install the updates at a controlled time; maybe they want to test updates before installing; or for some other reason.
According to heise.de, many users turn this feature off because “WP is not compatible with the hosting provider's software”. To be honest, I find it hard to take this statement seriously. It is the hosting provider's job to provide software that is compatible with the latest versions of popular software like WordPress, not vice-versa!
It's a hosting provider's job to provide software that's compatible with latest versions of popular software like WordPress, not vice-versa!
Any business owner who is serious about running their business website on WordPress will ensure that their hosting provider is reputable and up to date.
And anyone calling themselves a hosting provider should be among the first to have the most up to date platforms (recent, stable versions of MySQL & PHP being foremost among those for WordPress users). If they don't, simply stay away from them. There are many excellent and inexpensive options out there.
Sadly, I know this isn’t always the case and I’ve seen far too many hosting companies - particularly here in mainland Europe - with deplorably outdated installations. They're far behind the times when it comes to supporting updated software.
What WPStrands found
In a quick search yesterday I discovered many sites (816,000 in Google's index!) that are still compromised. I directly contacted the owners of forty of these sites: a random assortment of doctors, lawyers, coaches, marketers and others.
Not surprisingly, the more reputable sites - the more serious businesses who keep on top of and react promptly to these problems - had the problem fixed by the time I arrived on their sites.
Also not surprisingly, was that not a single contacted site owner has responded to my email about the hack and my offer to help, indicating that these are websites no one is paying attention to. I found it hilarious that among this group was a Data Security specialist firm in the UK! Oops! Surely the web is a better place without these businesses.
But the problem is not just that these sites have been defaced; once compromised, they can and will be used as a launching pad for further attacks and spam outbreaks.
Who's Learning From This?
I’ve learned two things from all of this – or rather this has reinforced two things we should all have learned a long time ago...
- There will always be someone ready to pounce as the most vocal opponent of a decision that has had less than perfect repercussions, whatever the merits and whatever the best intentions of that decision were at the time it was made.
- The majority of people never learn. Even those who should know far better.
And a bonus lesson 3: If we're being fair we can all agree that the WordPress code is not the problem here. Lack of user education about the dangers of not updating software continues to be the biggest obstacle to a safer web.
Lack of user education about the dangers of not updating software continues to be the biggest obstacle to a safer web.
- The code is not the problem; users are.
- It’s imperative to update. Religiously. Regularly. Repeatedly.
- WordPress Website Maintenance sadly remains an overlooked task among website owners.
As Torque magazine said, "At the end of the day, no matter how fast hacks evolve, the best way to combat them is still through regular updates!"
At the end of the day, no matter how fast hacks evolve, the best way to combat them is still through regular updates!
Have you been hacked? Do you know someone who has been? Start the conversation with a comment below.