Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Plea for simplification: static HTML

[xororand]

It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.

Instead, consider using a static website generator like Pelican, or one of the many alternatives.

Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.

More simplicity on the Internet please.

Re:The reason I hate WordPress is PHP.

[marcansoft]

The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA, did you?

Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.

$ php7.1 -r 'echo (int) "123test";'
123
$ python3.5 -c 'print(int("123test"))'
Traceback (most recent call last):
    File "", line 1, in
ValueError: invalid literal for int() with base 10: '123test'

I almost believed in WordPress

[NaCh0]

I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis. The standard groupthink from WordPress evangelists is that the security problems are behind us -- that WordPress core hasn't had a serious vulnerability in years, core has a review process, blame your out of date installations and inexperienced plugin developers.

For those not in the know, the REST API is something new to wordpress. Developers could get early access thru a plugin, but the API now comes included with WP4.7. There is so much buzz and excitement, even among wordpress people who have no idea what REST really is, few people questioned it because this meant WordPress can now take over the world.

I for one questioned it. When I saw REST enabled in 4.7 without a control to disable it my literal reaction was "Are you FUCKING kidding me???" I have experience in security. I understand attack surfaces. I have seen what a fiasco xmlrpc.php attacks are to wordpress. And these idiots open REST APIs to the internet by default? Jesus fucking Christ, I really don't think Matt Mullenweg or any of the other idiots running the WordPress show have any ability to learn from history.

Sadly, there is no evidence of other CMS's surpassing WP in popularity. You should get used to WordPress continuing to be the sendmail of php apps.