Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

The reason I hate WordPress is PHP.

[Larsen+E+Whipsnade]

I could harsh on PHP until the cows come home, but that would be annoying. So I'll just say that this sort of security problem shows that it's impractical to write anything secure in PHP. Why? Mainly because it adds a layer of complexity atop compiled binary, and it adds source code access once a hacker has got past a certain level, and... oh, it's just all kinds of insecure.

Just why did PHP become so popular, anyway? I really don't see the attraction. Now WordPress would be a wonderful thing, if only they'd ditch the PHP. It would be a little harder to customize and extend, but far from impossible. Worst case, we could supply a scripting language ONLY for custom extensions. Basically a macro language. Python's embeddable.

(No, I don't consider a widely used API to be a custom extension. That's part of the core.)

More opinion: in a production system, scripting languages and macros should be only for custom extensions, and never for core code. There should never be scripts BEHIND an API. If WordPress were written in a compiled language and run as a binary, it would be less easy to hack. But not C. Those damn pointer arithmetic exploits...

Re:The reason I hate WordPress is PHP.

[rudy_wayne]

Everything you said is more or less true, but, the bigger problem is that WordPress and many other software packages are written by people who are just plain incompetent and/or stupid. They either don't give two shits about security or are to stupid to figure it out.

Re:The reason I hate WordPress is PHP.

"or are to stupid to figure it out"

It's 2. You want to spell it "2 stoopud".

Re:The reason I hate WordPress is PHP.

[marcansoft]

The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA, did you?

Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.

$ php7.1 -r 'echo (int) "123test";'
123
$ python3.5 -c 'print(int("123test"))'
Traceback (most recent call last):
    File "", line 1, in
ValueError: invalid literal for int() with base 10: '123test'

Re:The reason I hate WordPress is PHP.

[gtall]

I don't agree. A good language keeps you from shooting your foot off even if you are inadvertently aiming at it. How many of PHP arcane rules must a programmer keep in mind? Must s/he constantly use PHP to keep the rules in the head so as not to trip over them. A good example of how to do it right is Haskell. The typing system is a bitch but you won't get away with any inadvertent type casts.

Re:The reason I hate WordPress is PHP.

[marcansoft]

PHP was slow as molasses until recently, and cleaning up compromised servers after you get pwned isn't cheap, nor is maintaining a legacy code-rotting PHP codebase, which is what PHP encourages.

PHP became popular because it was easy back when the dynamic web was getting started and people just wanted to write quick hacks. By the time people realized it was a terrible idea we had legions of PHP coders who thought they knew what they were doing, and tons of PHP frameworks evolving from toys to something that was trying to be serious, with the language following a similar path. But the foundation was rotten to the core, and as much as they've tried, nobody has yet managed to fix PHP, nor is it really possible without reinventing, effectively, a whole new language. Even deprecating completely batshit insane ideas like magic_quotes_gpc has taken years of effort.

Meanwhile Python 2 was pretty good, way better than PHP ever was (and probably ever will be), but even then the Python community knew that some things needed to be torn up and redone properly, and thus we got Python 3. Things work differently when the people designing and maintaining a language actually know what they're doing. The Python 2 to 3 transition has been long, but worth it in the long term.

Re:The reason I hate WordPress is PHP.

[dotancohen]

Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour.

I disagree that most or even many PHP programmers know this issue. A few months ago I demo'ed an exploit in code that a coworker wrote which had the same flaw, this time in comparing MD5 hashes. He had been using PHP for all of his professional career and had no idea how PHP compares strings with leading digits.

Of course, I only knew about the issue because of a similar bug that I wrote, sometime a bit over a decade ago. At that time I had been using PHP for over five years.

So the maxim "know your tools" still stands, but string comparison in PHP _is_ broken in subtle, dangerous ways that most devs will never (knowingly) encounter. I've never seen code that _relies_ on this behaviour, I would love to see it fixed in a major version release. Too bad PHP 7 still carries this flaw.

Which is why they use PHP?

[Larsen+E+Whipsnade]

Couldn't resist.

I tried WordPress for a while, and I tried some PHP coding. I'm a tad bitter.

Re:Wordpress the first open source failure... it i

[Narcocide]

Nope. They won't blame their precious 5$ web hosts. Instead, for some reason I still struggle to grasp, they will instead blame the web coders they didn't hire, who warned them not to use WordPress in the first place, as well as "all versions of PHP itself," regardless of host configuration.

Plea for simplification: static HTML

[xororand]

It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.

Instead, consider using a static website generator like Pelican, or one of the many alternatives.

Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.

More simplicity on the Internet please.

Re:Plea for simplification: static HTML

[marcansoft]

This.

The irony is that any WordPress site getting any reasonable amount of traffic is already using WP-Super-Cache... which generates static HTML pages for public content to be served directly from the web server. So they get the worst of both worlds: caching issues and a dynamic backend that is still just as susceptible to exploits as without the cache.

Re:Plea for simplification: static HTML

[thegarbz]

You say this as someone who knows what they are doing. Markdown? Restructured text? Git? You've just gone beyond the expertise of 99% of blog writers out there.

Wordpress's killer feature is not that it dynamically renders content, its that it allows a complete idiot to dynamically generate it.

Remember the alternative? Remember people typing word documents and saving them as HTML files? If you don't provide a dead simple online WYSIWYG editor with instant publish features and without the requirement to install software on a machine, any proposal you come up with is DOA.

Re:Great.

[marcansoft]

The only secure way to use WordPress is as a static site generator, where the live version is deployed with no dynamic functionality and the administration backend is secured by a layer above WordPress (e.g. HTTP BASIC authentication).

WordPress isn't particularly terrible code, but it is written in a particularly terrible programming language where it's practically impossible to write something secure because things are insecure-by-default and you're expected to defend against all the gotchas explicitly.

I almost believed in WordPress

[NaCh0]

I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis. The standard groupthink from WordPress evangelists is that the security problems are behind us -- that WordPress core hasn't had a serious vulnerability in years, core has a review process, blame your out of date installations and inexperienced plugin developers.

For those not in the know, the REST API is something new to wordpress. Developers could get early access thru a plugin, but the API now comes included with WP4.7. There is so much buzz and excitement, even among wordpress people who have no idea what REST really is, few people questioned it because this meant WordPress can now take over the world.

I for one questioned it. When I saw REST enabled in 4.7 without a control to disable it my literal reaction was "Are you FUCKING kidding me???" I have experience in security. I understand attack surfaces. I have seen what a fiasco xmlrpc.php attacks are to wordpress. And these idiots open REST APIs to the internet by default? Jesus fucking Christ, I really don't think Matt Mullenweg or any of the other idiots running the WordPress show have any ability to learn from history.

Sadly, there is no evidence of other CMS's surpassing WP in popularity. You should get used to WordPress continuing to be the sendmail of php apps.

Re:I almost believed in WordPress

[phantomfive]

The problem here is it wasn't deployed in Docker. With a real database like Oracle. The whole thing should be run in the browser to give it an extra layer of containerized security.

Re:I almost believed in WordPress

[trawg]

I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis.

Doing agency work in the last few years I know my colleagues struggled with the process of managing WordPress within source control. If we built a website for someone based in WordPress we'd deploy it - but then if the customer upgraded it or installed a theme or something it would instantly be out of wack with what was in source control.

Managing the site in source control from there was a bit of a pain as you'd have to download the new version, add new files, commit differences, etc - every time there was a WordPress update.

I would not be surprised if a lot of the compromised sites were in this situation - deployed by agencies who said to their clients "don't worry, we'll keep it up-to-date for you" and deployed from source control without thinking about how to maintain it, and then giving up when they realised it meant regular updates to their dev copy - thus losing all the security advantages of WP's self-updating feature. Or giving up when their clients modified their own site extensively thus making it a real nightmare to merge.

I'm sure there are many good ways of managing this process. WordPress being the "cheap" alternative means a lot of people are getting what they pay for.

Dynamic content + shoddy plugins + monoculture

[damaki]

And web agencies. You got a genuine recipe for disaster. But that's so much fun, all those cheap websites (my company included) which get defaced and hacked to death on a monthly basis, as it cannot be updated timely because they to need every single exotic and never updated plugins. I had to build a presentational website, 15 years ago, and you know what? I did use a static content generator, which I coded myself as it was dead simple! What's is stupid is that as many people told in replies, most of these sites actually needs zero dynamic content and would do as well with a static site generator. But hell, you got to pull the WordPress buzzword to please the corporate people, cause they need cheap flexibility, and buzzwords.

Security through obscurity not so bad?

[bradley13]

We all ridicule people who rely on security-through-obscurity. Incidents like this should make us take another look at that sentence: While we shouldn't rely on obscurity for protection, we shouldn't forget that it does help. Major platforms like WordPress are lucrative targets for hackers, who will spend a lot of energy searching for weaknesses they can exploit.

Using some lesser-known platform, or even rolling your own, makes you a less interesting target. Sure, you may (will!) have other vulnerabilities, but far fewer people will be hunting for them. This is a not-inconsiderable advantage.

WP auto-patching should have mitigated this better

[trawg]

So I have five separate personal WordPress sites for testing/hacking/tinkering and casually look after one for a friend. Every single one of mine updated on the day the patch for this problem was fixed.

I got email notifications from each of my sites notifying me they were updated before I heard about the problem. I read the WP blog post about it and thought "shit, that would have been a huge problem if my sites hadn't auto-updated!" and forgot about it completely.

(Incidentally, the next night I had a much, much higher than normal number of brute force login attempts. Not sure if related.)

I'd be very interested to find out why these 1.5m sites did not automatically update. I wonder if they're being manually updated or what the deal is. But if auto-patching worked as it was supposed to this vulnerability would have been mitigated much more quickly.