Close to 1.5 million WordPress blogs have been defaced downright by hackers due to a security flaw in the software. WordPress, an open source-platform extends services to the many official websites such as Walt Disney co., Microsoft News Center and the Indian Prime Minister’s Office. More than 26 percent of websites on the internet use the open-source platform. The Information-Technology Promotions Agency (IPA) warns that software versions 4.7.0 and 4.7.1 contain the vulnerability. The official website of the Olympic Minister Tamayo Marukawa also has reportedly fallen victim to the attacks. Marukawa, on Monday said that her official website when logged onto showed messages such as “HaCkeD By MuhmadEmad” and “KurDish HaCk3rS WaS Here.” The site had been restored by Tuesday.
Sucuri, an American based Security firm had notified the company on the vulnerability of the website on the 20th of January 2017. In a blogpost, WordPress said that they had delayed going public about the flaw so that they could come up with a resolution which would keep their websites off jeopardy. Following this, a patch was released on the 26th later that month which led to the automatic updation of the websites. However, there still remained many websites that failed to do so, causing them to fall prey to such attacks.
The vulnerability of the software was said to be found in an add on released by WordPress on December 2016. Many security firms have now hit the internet to help WordPress revive from this massacre. WordFence, one of the security firms investigating the attack claims that over 20 hacker groups have gotten through the loophole causing WordPress and it’s consumers to be exploited in diverse ways.
Sucuri now claims that the hackers are not just trying to deface the blogs but also to takeover the website entirely. This causes a potential threat to the consumers as identity and various other personal information are put at stake.
Mark Maunder, the founder and CEO of WordFence quoted that “during the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.” Other security firms claim that the hackers have now moved on from defacement to uploading bugs onto blogs which will cause the websites to end on it’s own.
“Attackers are starting to think of ways to monetise this vulnerability,” wrote Sucuri founder, Daniel Cid. “Defacements don’t offer economic returns, so that will likely die soon.” “Hackers were keen to use the vulnerable sites as proxies for spam or malware campaigns,” he added.