WordPress 4.7.2 Security Release
WordPress has recently released version 4.7.2 for addressing couple of critical security vulnerabilities. If you own a website running on WordPress and it’s not running on the latest version, you ought to make time to update it. If you have trouble doing it, get in touch with us and we’ll see how we can help.
As always, we have already done so for all our customers’ WordPress website.
Full story (for the rest of us)
SingCERT has just issued an alert highlighting increase in defacements affecting websites hosted in Singapore as well as .sg websites hosted both locally and overseas on WordPress version 4.7.1 and earlier versions. Based on initial investigations by SingCERT, this was a result of an exploitation of a WordPress vulnerability.
In case you don’t know what “defacement” means, it’s probably the “mildest” attack in the universe of cyber security. It doesn’t bring your network down like DDOS, it doesn’t steal your data, the attackers only changed the visual appearance of your web page, sort of like leaving graffiti on your web page. Most of the time they just wanted to make a point or spread an agenda. Although we have to agree it can be quite annoying. Look how this attacker managed to insert the photo of Donald Trump in the website that has nothing to do with American politics.
Defacements like this can be remedied by restoring backup data — provided you actually backup regularly. Otherwise, you may just have to manually replace the content with your own.
So how this could happen? Mainly due to one of the new features introduce in WordPress 4.7 — WordPress REST API which aims to move WordPress towards becoming a better software. Just like any progress that always comes with risks, the introduction of said feature opens up security loophole which will put sites using WordPress 4.7.0 or 4.7.1 at risk.
So you may ask if your site is running on an even older WordPress that doesn’t have REST API, does that mean you will be safe? Yes and no. Yes as you will not face the said treat. No as there will be other treats to be addressed too, as outlined in WordPress’ own release note.
So our best recommendation is update your WordPress anyway! If you are our customers, you can rest easy knowing we have taken care of this for you. If you are not our customers yet, you may want to check out our plans below or find out why did we start WP Sifu.