I was recently alerted by a client about a hack that was a result of running WordPress version 4.7.  This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) "generally done for fun, political reasons and by script kiddies." A blog post was edited with the text "Hacked by Imam" overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000's of results, and after little research I learned that it was hacked because of a WordPress vulnerability.

WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited.  WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework.  This means that you can use WordPress to build applications.  However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven't updated yet, you should do so immediately.

More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release

Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.

Rest API JSON Response Using Postman

If you're not using the REST API, it's recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.

How Do I know the REST API is Enabled?

You can tell that the REST API is enabled by looking at your site in a browser.  After the URL, append "/wp-json/wp/v2.  So an example would be http://example.com/wp-json/wp/v2

If you see a bunch of text, which is actually a JSON string, then it's enabled.  Otherwise you should see the following text.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

Conclusion

WordPress 4.7 has some vulnerabilities, and there're two simple things you should do to remedy them.  First, make sure you're running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.

References:

Modern "brute-force password crackers" can crack a password of 8 or less characters in less than 4 hours, but 12 or more characters takes years to crack. So length over complexity is far better for creating secure passwords. Even simple phrases like “MyDogRunsFast” is surprisingly more secure than "Er@42!." When thinking of a secure password, you can use simple phrases that are easy to remember as long as they’re at least 12 characters long, and to make it even more secure, mix in upper and lower case letters, numbers and special characters.

Tips for creating a secure password

  1. Use 12 or more characters
  2. Include numbers, upper and lower case letters and special characters
  3. Don't use the same password for different sites
  4. Test your password in a reputable Password Strength tester, like bitwarden's password checker: https://bitwarden.com/password-strength/
Contact Us for a Free Consultation
Get a Quote
chevron-down