Web Design Blog

March 2, 2017
Laith Sinawi
Web Design Blog
WordPress 4.7 vulnerabilities - update now to avoid hack

WordPress 4.7 vulnerabilities - update now to avoid hack

I was recently alerted by a client about a hack that was a result of running WordPress version 4.7.  This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) "generally done for fun, political reasons and by script kiddies." A blog post was edited with the text "Hacked by Imam" overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000's of results, and after little research I learned that it was hacked because of a WordPress vulnerability.

WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited.  WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework.  This means that you can use WordPress to build applications.  However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven't updated yet, you should do so immediately.

More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release

Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.

Rest API JSON Response Using Postman

If you're not using the REST API, it's recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.

How Do I know the REST API is Enabled?

You can tell that the REST API is enabled by looking at your site in a browser.  After the URL, append "/wp-json/wp/v2.  So an example would be http://example.com/wp-json/wp/v2

If you see a bunch of text, which is actually a JSON string, then it's enabled.  Otherwise you should see the following text.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

Conclusion

WordPress 4.7 has some vulnerabilities, and there're two simple things you should do to remedy them.  First, make sure you're running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.

References:

WooCommerce vs Shopify: Which Is Better? (2023 Comparison)

When it comes to choosing an e-commerce platform, two of the most popular options are WooCommerce and Shopify. Both platforms have their own unique features and benefits, but which one is better? In this post, we'll take a look at the pros and cons of each platform and help you decide which one is right […]
READ MORE >>

Top 6 SEO Best Practices to Improve Your Organic Rankings

I often get this question from clients: "How can I improve my SEO?" My response typically emphasizes that it's a substantial and ongoing endeavor rather than a simple task.  So, here's my comprehensive list of steps to help you get an understanding of the project scope and ultimately improve your website's search engine optimization (SEO): […]
READ MORE >>

5 Essential Tips on How to Find a Good Web Designer for Your Business Needs

When it comes to creating a website for your business, finding the right web designer is crucial. A skilled web designer can ensure that your website not only looks great, but that it also functions smoothly, is easy to navigate, and effectively communicates your brand's message. But with so many web designers out there, how […]
READ MORE >>

WordPress vs Squarespace – Which has better SEO?

If you're looking to build a website for your business, it's important to understand the importance of search engine optimization (SEO) to attract potential customers. In this article, we’ll explore two popular platforms, WordPress vs Squarespace, and how they compare in terms of their SEO capabilities. WordPress is a flexible content management system that provides […]
READ MORE >>

Is your website CCPA compliant?

The California Consumer Privacy Act (CCPA) is a new data privacy law which applies to certain businesses that collect personal information from California residents. The new law went into effect on January 1, 2020. Under the CCPA, Californians can demand to know who has their information, what they are doing with it, specifically what kind […]
READ MORE >>
1 2 3
Contact Us for a Free Consultation
Get a Quote
chevron-down