WordPress 4.7 vulnerabilities – update now to avoid hack

I was recently alerted by a client about a hack that was a result of running WordPress version 4.7.  This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) “generally done for fun, political reasons and by script kiddies.” A blog post was edited with the text “Hacked by Imam” overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000’s of results, and after little research I learned that it was hacked because of a WordPress vulnerability.

WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited.  WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework.  This means that you can use WordPress to build applications.  However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven’t updated yet, you should do so immediately.

More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release

Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.

Rest API JSON Response Using Postman
Rest API JSON Response Using Postman

 

If you’re not using the REST API, it’s recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.

WordPress REST API vulnerabilities
JSON response from domain.com/wp-json/wp/v2/user using web browser

How Do I know the REST API is Enabled?

You can tell that the REST API is enabled by looking at your site in a browser.  After the URL, append “/wp-json/wp/v2.  So an example would be http://example.com/wp-json/wp/v2

If you see a bunch of text, which is actually a JSON string, then it’s enabled.  Otherwise you should see the following text.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

Conclusion

WordPress 4.7 has some vulnerabilities, and there’re two simple things you should do to remedy them.  First, make sure you’re running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.

References:

Choosing a Secure Password

Modern “brute-force password crackers” can crack a password of 8 or less characters in less than 4 hours, but 12 or more characters takes years to crack. So length over complexity is far better for creating secure passwords. Even simple phrases like “MyDogRunsFast” is surprisingly more secure than “Er@42!.” When thinking of a secure password, you can use simple phrases that are easy to remember as long as they’re at least 12 characters long, and to make it even more secure, mix in upper and lower case letters, numbers and special characters.

Tips for creating a secure password

  1. Use 12 or more characters
  2. Include numbers, upper and lower case letters and special characters
  3. Don’t use the same password for different sites
  4. Test your password in a reputable Password Strength tester, like Microsoft’s password checker: https://www.microsoft.com/security/pc-security/password-checker.aspx

Making a Simple Math Captcha using both jQuery and PHP

I wanted to write a simple Captcha that I could easily integrate into my own scripts that would work with or without Javascript. My first approach was to find open-source that I could pretty much just copy and paste into my code with little modification. All the cookie-cutter Captcha scripts I found were so bloated with extra code and were either only client-side (Javascript) or server-side (PHP), that I decided to create something from scratch. What I came up with is a script that uses Ajax for a smoother user experience (no browser reload on submit), but also works if the user has Javascript disabled for progressive enhancement (or graceful degradation).

Dependencies:  jQuery, jQuery Validation Plugin and jQuery Placeholder Plugin
Assumptions: Understands jQuery and PHP, and has used jQuery Validation Plugin. Note: this tutorial is written for developers and only explains the captcha portion. I don’t go into other workings of the form, ie: Ajax submit, error handling, etc.

Captcha Field

Simple addition captcha

The following code section goes into your HTML form to create the Captcha section. To set the values of the fields to be added, use PHP rand() function to get a different random value each time the page is loaded (1st number is random number 1-4, and 2nd number is random number from 5-9 for easy use).

[sourcecode language=”javascript”]
<input id="num1" class="sum" type="text" name="num1" value="<?php echo rand(1,4) ?>" readonly="readonly" /> +
<input id="num2" class="sum" type="text" name="num2" value="<?php echo rand(5,9) ?>" readonly="readonly" /> =
<input id="captcha" class="captcha" type="text" name="captcha" maxlength="2" />
<span id="spambot">(Are you human, or spambot?)</span>
[/sourcecode]

[divider_top]

Define custom method for Validation Plugin

Method basically gets the random values from the form, the total value entered by the user, adds them together and compares. If the two numbers don’t equal the total, then it returns an error. Otherwise it returns the result.

[sourcecode language=”javascript”]
$.validator.addMethod(‘captcha’,
function(value) {
$result = ( parseInt($(‘#num1’).val()) + parseInt($(‘#num2’).val()) == parseInt($(‘#captcha’).val()) ) ;
$(‘#spambot’).fadeOut(‘fast’);
return $result;
},
‘Incorrect value, please try again.’
);
[/sourcecode]

Call custom validation method defined above

The highlighted sections are the relevant parts to the Captacha. The rest is doing error handling for the other form fields.


[sourcecode language=”javascript” highlight=”9-12,26-28″]
$(‘#contact’).validate({
debug: false,
rules: {
message: {
required: true,
minlength: 10,
maxlength: 255
},
captcha: {
required: true,
captcha: true
}
},
messages: {
firstName: "First name field required.",
lastName: "Last name field required.",
email: {
required: "Email address required",
email: "Email address must be in the format name@domain.com."
},
message: {
required: "Message field required",
minlength: "Message must contain at least 10 characters.",
maxlength: "Message must not contain more than 255 characters."
},
chkCaptcha: {
required: "* Required"
}

}

});
[/sourcecode]

[divider_top]

Server side handler (PHP) in case Javascript is disabled

Now we have to handle captcha if Javascript is disabled. Since the captcha values are generated using PHP, we can retrieve those from the POST array.

[sourcecode language=”javascript”]
$num1 = isset($_POST[‘num1’]) ? $_POST[‘num1’] : "";
$num2 = isset($_POST[‘num2’]) ? $_POST[‘num2’] : "";
$total = isset($_POST[‘captcha’]) ? $_POST[‘captcha’] : "";
[/sourcecode]

[divider]

Define a Captcha function and call the function

[sourcecode language=”javascript”]
function captcha_validation($num1, $num2, $total) {
global $error;
//Captcha check – $num1 + $num = $total
if( intval($num1) + intval($num2) == intval($total) ) {
$error = null;
}
else {
$error = "Captcha value is wrong.
";
}
return $error;
}

$captcha_error = captcha_validation($num1, $num2, $total);
[/sourcecode]

Now Captcha can be validated with your other form variables. You can see a working demo here, or download it from the link below (contains all the code and dependent files).


Download from GitHub: https://github.com/laithsinawi/php-jquery-simple-math-captcha

>

Contact Us For a Free Consultation

Let's Get Started!
Top