WordPress Zero-Day Incident – the flaw that was, then wasn’t, then was, then wasn’t

What a week it has been for online security, particularly of interest to us with the WordPress Zero-Day Incident leading to some websites getting pesky “hacked” notices on particular pages.

With the robust slew of security settings that we put in place on WordPress websites, any hackings we’ve seen in the past 18 months have been due to a user’s computer being compromised and passwords being gleaned that way.

And so it was, that a handful of website owners reached out to alert us and to investigate whether or how they’d been hacked.

What most of the world, including us, did not know, was that in the background there was a war between the forces of good and evil (yes, I clearly see it that way – website owners are CONSTRUCTING things in this world, hackers are simply DESTRUCTING them) underway, and the WordPress security forces were responding rapidly.

Here is my summary, without getting too geeky.

WordPress Zero-Day Incident in layperson terms.

With the latest version of WordPress, version 4.7, the team introduced something known as REST API which is planned to be a major part of WordPress’ functionality in the future.

However, the way the code was originally put together, got past the code checking teams who had failed to notice a rather obscure method for hackers to trick the site, gain credentials and then deploy a defacing, eg, changing titles or content of pages or posts.

It all happened at the speed of data

Within hours of the exploit being discovered, WordPress was able to trigger an update for itself, to version 4.7.2, containing a “patch” to fix the issue.

However, this did leave some websites with some defaced pages or posts and it also left some websites vulnerable where the usually automatic security updates failed to occur (for some of the variety of vagaries that occur when different website configurations exist on countless web hosting configurations, etc).

Adding to the intrigue, WordPress made the decision of NOT announcing any of this until well after the fix had been sent out.

This meant that when we responded to the handful of people who contacted us, our usual tools at site and server level failed to find current threats because the patches were in place and the sites were safe again.

The moral of the story?

There is a moral to this story.

Many of us work on the “good” side of the ledger and do our best to fight the good fight. However, every now and then, for various reasons, the forces of destruction have wins and do their best to wind back the human endeavour.

For example, Chris Gardner of Postik.net’s summary of security alerts across the web this week reveal just how bad it is out there and how having preventative measures like our WordPress Maintenance Plan are so important, even if every now and then, the scoundrels get in faster than the systems can close the loop.

Look at this list:

  • Hot Flash: WordPress.org discovered a serious vulnerability in the code that, if exploited, would give hackers easy access to your website controls. To their credit, WordPress.org quickly issued the 4.7.2 update and patched the “zero-day vulnerability”.
  • Hot Flash: The new Malwarebytes 3.0 has a new version available, 3.0.6. As always, you should update your protection programs immediately when a new version is presented. That’s because commercially available security programs are routinely bought by hackers who reverse-engineer them to figure out how to defeat them.
  • Hot Flash: Apple OS Updates Get ’em quick as they fix a number of security vulnerabilities.
  • Hot Flash: Gmail Users Beware There’s a new, sophisticated ‘phishing’ attack going around to Gmail users.
  • Senior Moment: Yahoo gets hacked – just about every account it has If anyone is still using Yahoo for email, it’s time to make the switch.
  • Hot Flash: New Ransomware Called “Popcorn Time”, this offers victims free removal if they get two other people to install a link and play (get infected and their computers locked up).
  • Hot Flash: Gooligan Malware is hitting millions of Android smartphones and tablets.
  • Hot Flash: Don’t Download fb files Those creative hackers are constantly looking for new ways to hack into your computer. Yesterday a new hack was reported using social media image files (particularly Facebook and LinkedIn). Checkpoint discovered that Locky (a variant of ransomware) is getting on people’s computers as they download image files from the social media networks. Hackers are adding malicious code to image files which hijacks your computer when you download the photo.
  • Hot Flash: Following in the footsteps of AshleyMadison.com, now FriendFinder Networks has been hacked, with over 400 million users’ passwords and such stolen.

I hope that hasn’t disturbed your sleep.

If there is one thing this WordPress Zero-Day Incident has reminded us, it’s that it needs to be all hands on deck when fighting the scourge of hackers. This means that even with antivirus software, maintenance plans and security systems, it is prudent to keep an eye on things yourself.


Image: Pixabay