Traditionally, we keep security patches and updates simple and quick in our security haiku series of posts. But sometimes 17 syllables doesn’t cut it.
The vulnerability was an authentication bypass attack which existed in the REST API (a new feature in WordPress core as of 4.7.0.) It allowed malicious parties with no account or form of privileged access on a site to modify or replace the content of any post on the site.
If you host your site with Pagely, you’re good. We applied a virtual patch via our WAF (Web Application Firewall) – which prevented malicious requests from ever reaching the site – before applying a software upgrade on customer sites to 4.7.2. The majority of our customers received this patch on the same day as it was made available.
The attacker’s access is limited to changing a post’s content, but that has not stopped many from running this exploit and succeeding on many un-patched sites (at other hosting providers). Leaving in their wake thousands of sites with new “hacked by” posts. This is just unfortunate for those site owners who will not have to go through the pain of restoring their posts from backups, or starting all over again if they lacked those.
The events related to the 4.7.2 release are a reminder that practicing security should come first. Here are some takeaways:
- Always apply security patches quickly. (There is an automatic upgrade option in WordPress which is strongly recommended. If you cannot rely on this functionality, then you must dedicate staff to apply security upgrades, or consider a hosting provider who provides upgrades as part of their service.)
- Enable a WAF or sign up for a WAF service (Cloudflare, Sucuri, etc..) to be able to apply virtual patches or rules that will block a severe attack of this nature while you wait for the official patch to get deployed on all sites.
- If you can not do the above to, hope you have good backups and a pot of coffee at the ready.
Again, sites hosted at Pagely were not affected by this vulnerability (Hattip: WP Core Team for looping us in early), thanks in large part to our security and devops teams staying vigilant and following the best practice procedures outlined above for addressing security issues on all of our customer sites.