Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability

Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability

21.4K 3037 1158 26.1K

Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability

Last week, we reported about a critical zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites.

To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked closely with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public. Finding out their site vulnerabilities could have been as simple as enlisting the services of Cobalt to simulate attacks and locate any weaknesses present.

There are other ways to ensure digital security too. For example, in some cases, the software being used can often benefit from a c++ test to identify any potential flaws.

However, even after the company’s effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and have already been exploited by hackers.

For those people who did not realize that they had to update their website and have been hacked, then there are a few things that can be done to help sort out their website. For example, they could visit a site like, as they could help to remove the malware.

While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches.Even the news blog of one of the famous Linux distribution OpenSUSE ( was also hacked, but restored immediately without breach of any other part of openSUSE’s infrastructure, CIO reports.

The vulnerability resided in WordPress REST API that would lead to the creation of new flaws, allowing an unauthenticated attacker to delete pages or modify all pages on unpatched websites and redirect their visitors to malicious exploits and a large number of attacks.

There are so many ways to hack a WordPress Website, pirates already know it better than anyone else. But do you know it too? Do you know against what you need to be protected?

It’s important to learn how a website can be broken, stolen, how intruders can take your place.

Attackers have taken a liking to a content-injection vulnerability disclosed last week and patched in WordPress 4.7.2 that experts say has been exploited to deface 1.5M sites so far.

The issue has evolved into “one of the worst WordPress related vulnerabilities to emerge in some time,” researchers with WordFence, a Seattle-based firm that makes a WordPress security plugin, said Thursday.

Mark Maunder, WordFence’s Chief Executive Officer, said researchers saw the biggest spike in attacks on Tuesday this week when the company blocked roughly 13,000 attacks from 20 different campaigns.

That’s a significant uptick from earlier this week, on Monday, when researchers with Sucuri, the firm that first reported the issue to WordPress, said they had initially seen more than 66,000 webpage defacements from four different campaigns.

The reason for the influx, Maunder said, is because at the beginning of the week attackers refined their attacks to bypass a rule that WordFence and other companies had implemented. While WordFence was quick to engineer a new rule to prevent the bypass, attackers were still able to succeed in infecting a slew of sites–more than 800,000 over a 48-hour period from Tuesday to Wednesday–he said.

In some instances, hackers are competing to compromise sites that haven’t yet applied the fix. WordFence researchers claim they’ve come across some sites where multiple hackers attempt to take credit on multiple pages for hacking them. The defacing and re-defacing will likely continue until those sites apply the 4.7.2 fix, Maunder says.

Here’s some stats from our clients since 2010:

  • 60% of hacked people don’t even know what happened,
  • 25% of pirates exploited a vulnerability in a plugin or theme,
  • 6,5% came with your password, found by brute-force,
  • 3% used a flaw from the WordPress core not updated,
  • 1,5% get hacked because of their host provider,
  • 0,6% of websites still had old installation files,
  • 0,5% because of bad files permissions (chmod),
  • 0,5 because of a stolen password (without brute-force)
  • 0,4% sharing other reasons like computer without antivirus, answer to a phishing mail, outdated server softwares or FTP software, etc
Hacking Statistics since 6 years

Hacking Statistics since 6 years

Don’t Know What Happened

This is badly common, but for more than a half of WordPress hacked websites – 61% –, the source of the issue is not clear. It’s even difficult to know how it happened, where is the entry point, where are the hints, who and why they did that. Webmasters were just victims of hackers, hacking websites.

In those cases, the work to try to know the reasons of the hack is too big and too expensive for a client to work on.

And if it happens to you a day, I recommend you to don’t waste your time, what happened is really bad, but use this time to secure your website instead of doing this useless investigation.

A Plugin or Theme is Vulnerable

Without plugins or theme, WordPress wouldn’t be what it is today. We all need these additional components so every website can respond to a need. The number of plugins is growing everyday, everybody can be an author, regardless of their development skill.

Keep Up to Date

The first thing to know with plugins and theme is to be up to date. We always say that but it’s very important, don’t forget the goal of the updates, correcting bugs, adding new features but also patching security vulnerabilities!

can tell you with its scanner which plugins and themes are not up to date

SecuPress can tell you with its scanner which plugins and themes are not up to date


Don’t rely on plugins which weren’t updated since 2 years at least, neither the ones without a good support, or too few downloads when the author isn’t known yet.

This trust has to be earned, it is possible that this plugin with 10 downloads done by a new author is perfect, but wait that the trust has been brought by the community.


For the free ones, prefer plugins from the official WordPress Repository because it’s examined a minimum by Mika and Otto whom doing a great job on that (see “How to Review a Plugin” on

If it’s a premium one – so it’s not in the repo – don’t try to find it using search engines because they will find it on warez websites. This is the best way to get a WordPress Hacked Website.

What you’ve earned with this fake free product is null besides what you’ll have to do, and pay to get your website back on its legs again.


With WordPress it’s possible to send plugins using the admin area, with a simple .zip file, and it’s done! But, this file can contain any code and will still be installed. Here’s the best way to get a WordPress Website Hacked.

The best way to be secure is, again, to only use plugins from the repository and for premium ones to use a secure FTP.