Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

The reason I hate WordPress is PHP.

[Larsen+E+Whipsnade]

I could harsh on PHP until the cows come home, but that would be annoying. So I'll just say that this sort of security problem shows that it's impractical to write anything secure in PHP. Why? Mainly because it adds a layer of complexity atop compiled binary, and it adds source code access once a hacker has got past a certain level, and... oh, it's just all kinds of insecure.

Just why did PHP become so popular, anyway? I really don't see the attraction. Now WordPress would be a wonderful thing, if only they'd ditch the PHP. It would be a little harder to customize and extend, but far from impossible. Worst case, we could supply a scripting language ONLY for custom extensions. Basically a macro language. Python's embeddable.

(No, I don't consider a widely used API to be a custom extension. That's part of the core.)

More opinion: in a production system, scripting languages and macros should be only for custom extensions, and never for core code. There should never be scripts BEHIND an API. If WordPress were written in a compiled language and run as a binary, it would be less easy to hack. But not C. Those damn pointer arithmetic exploits...

Re:The reason I hate WordPress is PHP.

[rudy_wayne]

Everything you said is more or less true, but, the bigger problem is that WordPress and many other software packages are written by people who are just plain incompetent and/or stupid. They either don't give two shits about security or are to stupid to figure it out.

Re:The reason I hate WordPress is PHP.

[marcansoft]

The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA, did you?

Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.

$ php7.1 -r 'echo (int) "123test";'
123
$ python3.5 -c 'print(int("123test"))'
Traceback (most recent call last):
    File "", line 1, in
ValueError: invalid literal for int() with base 10: '123test'

Plea for simplification: static HTML

[xororand]

It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.

Instead, consider using a static website generator like Pelican, or one of the many alternatives.

Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.

More simplicity on the Internet please.

Re:Plea for simplification: static HTML

[marcansoft]

This.

The irony is that any WordPress site getting any reasonable amount of traffic is already using WP-Super-Cache... which generates static HTML pages for public content to be served directly from the web server. So they get the worst of both worlds: caching issues and a dynamic backend that is still just as susceptible to exploits as without the cache.

Re:Plea for simplification: static HTML

[thegarbz]

You say this as someone who knows what they are doing. Markdown? Restructured text? Git? You've just gone beyond the expertise of 99% of blog writers out there.

Wordpress's killer feature is not that it dynamically renders content, its that it allows a complete idiot to dynamically generate it.

Remember the alternative? Remember people typing word documents and saving them as HTML files? If you don't provide a dead simple online WYSIWYG editor with instant publish features and without the requirement to install software on a machine, any proposal you come up with is DOA.

Dynamic content + shoddy plugins + monoculture

[damaki]

And web agencies. You got a genuine recipe for disaster. But that's so much fun, all those cheap websites (my company included) which get defaced and hacked to death on a monthly basis, as it cannot be updated timely because they to need every single exotic and never updated plugins. I had to build a presentational website, 15 years ago, and you know what? I did use a static content generator, which I coded myself as it was dead simple! What's is stupid is that as many people told in replies, most of these sites actually needs zero dynamic content and would do as well with a static site generator. But hell, you got to pull the WordPress buzzword to please the corporate people, cause they need cheap flexibility, and buzzwords.

LAMP rules. Get over it.

[Qbertino]

The reason I hate WordPress is PHP.

LAMP rules. Get over it. Yes, PHP is awkward (said it myself) and I don't particularly like it that much either. But show me another web PL that does what PHP / LAMP does.
Hello World in PHP is "Hello World." There. Done. Upload a bunch of PHP files on to a LAMP setup, type in the URL in the browser and watch magic happen. No compiling, no appserver to babysit 24/7, no race conditions. Pure simple stupid procedural turing complete web template logic with some nifty utility functions bolted on left right and center, with no order or discipline what-so-ever. But they all work.

LAMP rules, it get's the job done and right now it's also putting money in my pocket. Yes, there are a lot of n00bs and non-programmers doing stuff in PHP and the projects using it have little to no idea how to organise web-dev, let alone a clean model or dev pipeline. And it's really ugly and bizar. But it get's the job done, one hack at a time.

PHP is the language that get's shit done on the web, plain and simple. It's the P in LAMP.
That's why PHP has WordPress, Joomla, Typo3, EZ Publish, Drupal and such and Java has nothing of that magnitude. Go figure.

My 2 cents.