​Thousands of WordPress sites defaced after hidden patch revealed

A bug that WordPress revealed a week ago is now being exploited, resulting in over 60,000 compromised web pages.

Tens of thousands of web pages have been defaced in the last week because WordPress users have not installed WordPress 4.7.2, according to security firm Sucuri, which in January reported a severe bug affecting the REST API in WordPress 4.7 and 4.7.1.

WordPress patched the issue two weeks ago but waited one week to reveal that version 4.7.2 contained a hidden fix for an issue in the WordPress REST API that made it easy to deface a site.

WordPress core developers delayed disclosure in order to give users time to update before hackers began exploiting the vulnerability. That delay may have been wise. According to Sucuri, attempts to exploit the bug picked up 48 hours after WordPress revealed the hidden patch.

But despite millions of sites with automatic updates being secured immediately a fortnight ago, tens of thousands of sites remain un-pacthed and are falling prey to hackers who are scanning the Internet for sites with this vulnerability.

Since the day WordPress revealed the vulnerability last week, Sucuri has observed attempts to exploit this vulnerability increase from less than 100 per day on February 2 to 3,000 per day on February 6.

“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began,” said Daniel Cid, Sucuri's chief technology officer.

One of four groups Sucuri is tracking has defaced over 66,000 web pages since details of the bug were disclosed. These compromises could have been avoided had sites owners heeded warnings and enabled automatic updates or followed WordPress’ straightforward update procedures.

“WordPress has an auto-update feature enabled by default, along with an easy one-click manual update process. Despite this, not everyone is aware of this issue or able to update their site. This is leading to a large number of sites being compromised and defaced,” said Cid.

Fortunately, the compromises for now appear mostly to be web site defacements however Sucuri warned last week that the flaw left WordPress plugins exposed to remote code execution.

Cid expects the number of website defacements to slow in coming days as attackers turn their focus to search engine optimization (SEO) spam, or techniques to dupe Google and other search engines into giving a site a higher ranking in search results. Sucuri has seen attempts to add spam images and content to posts, which can help attackers earn revenue.