I was recently alerted by a client about a hack that was a result of running WordPress version 4.7. This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) “generally done for fun, political reasons and by script kiddies.” A blog post was edited with the text “Hacked by Imam” overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000’s of results, and after little research I learned that it was hacked because of a WordPress vulnerability.
WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited. WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework. This means that you can use WordPress to build applications. However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven’t updated yet, you should do so immediately.
More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release
Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.
If you’re not using the REST API, it’s recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.
How Do I know the REST API is Enabled?
You can tell that the REST API is enabled by looking at your site in a browser. After the URL, append “/wp-json/wp/v2. So an example would be http://example.com/wp-json/wp/v2
If you see a bunch of text, which is actually a JSON string, then it’s enabled. Otherwise you should see the following text.
{"code":"rest_disabled","message":"The REST API is disabled on this site."}Conclusion
WordPress 4.7 has some vulnerabilities, and there’re two simple things you should do to remedy them. First, make sure you’re running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.