Attackers have been exploiting a vulnerability recently reported in WordPress to deface up to a reported 1.5 million pages. The REST API weakness allows code to the inserted into WordPress websites. Fortunately, a patch has been developed to ward off intruders.
Without the patch, hackers can change content on a WordPress site. This weakness was repaired in WordPress 4.7.2. The vulnerability was not announced until a week after the repaired version was released, giving WordPress users a chance to update their software.
Some WordPress users did not heed the warnings to shore up their defenses and got hit, according to Sucuri, a web security firm.
Up to 20 attack signatures have been reportedly blamed for the 1.5 million defaced pages. These attackers also overcame firewalls and other protective programs to exploit the WordPress flaw. The WordPress informed internet security companies about the weakness before the patch was released, attempting to help them put security measures in place to protect their websites.
WordPress websites hosted by the Google Search Console received security alerts from Google waring them about the weakness. These warnings advised them to update their WordPress security coding with WordPress 4.7.2 update. The weakness will probably remain in place on some websites because their webmasters will not, for whatever reason, read he writing on the wall and take steps to avert the risk until their site is breached.
It will take some time before the attackers halt their activity. It is undetermined how long the defacement will actually continue.