The vulnerability relates to the WordPress REST API and a newly discovered entry point. Hackers exploiting the vulnerability instantly have access to all unprotected pages on the affected site. They can then use the pages for any number of purposes.
The first discovered attack was used simply to deface websites with ‘hacked by’ messages. But experts say defacing is just the starting point. They believe hackers will quickly move on to creating ways they can use the compromised sites for profit. One suggestion is that they will take over WordPress sites and use them to launch widespread black hat SEO campaigns. The hackers could also use the vulnerability to send a nearly unstoppable flow of spam e-mail.
It looks as though the number of compromised sites at this point is somewhere between 40,000 and 70,000. However, the current WordPress breach is just the latest in a long history of security issues. As WordPress is the most used CMS on the web, hackers frequently target it with the understanding that the people most likely to use WordPress independently (that is, without the help of professional web developers) don't possess the kind of knowledge required to keep their sites safe.
During the first eight months of 2016 alone, nearly 22,000 WordPress websites were known to have been compromised by hackers. Even more disturbing is the fact that half of them slipped by Google's Safe Browsing system. The reality is that WordPress is the most targeted CMS because of its sheer volume. It is followed by Joomla!, Drupal and other CMS systems, though the numbers for these other systems are substantially lower.
Experts say the big problem with most CMS platforms such as WordPress are the extensions and plugins people use to increase functionality. Even if WordPress were completely sound by itself, plugins created by third-party developers tend to be security nightmares. All it takes is one developer not keeping up with the latest security changes to doom tens of thousands of sites.
At Siteglide, we are proud to be able to offer our customers a completely secure platform that is not vulnerable to all the OpenSSL problems that so many other platforms are susceptible to, like Heartbleed for example. Our platform is an Adobe solution hosted by Amazon Web Services. We have the power and reputation of two of the most well-known technology companies behind us. Furthermore, Siteglide is PCI level 1 compliant and Qualys certified. Siteglide does not use, or rely upon, 3rd party plugins which can render a site vulnerable to unwanted, external attack. Instead, at Siteglide we develop our own modules, which are thoroughly tested internally, before being released to our clients.
Being Level 1 PCI DSS (The Payment Card Industry Data Security Standard) compliant means that Siteglide utilises the very latest policies and procedures to maintain the security and integrity of information collected for debit, credit and cash card transactions. It also means we follow standard best practice to ensure that customer information is never misused.
Simply put, we go above and beyond protecting your site from defacing. We also protect you and your site's visitors from those who would seek to do harm after attacking vulnerable sites. If they cannot breach your site, they can't do any harm.
We encourage WordPress users to consider switching to Siteglide today. We offer secure hosting along with content management, e-mail marketing, CRM, and database services. We can even rebuild your website from scratch after the move to our platform. A move to Siteglide significantly reduces your risk of being hacked. Staying with WordPress only increases your risk.
Who knows how many tens of thousands of WordPress sites are still vulnerable to the latest hack? Most likely, it's far too many. Stop relying on your hosting company and third-party plugin developers to protect you and your site's visitors. Come on over to Siteglide and learn what a truly secure platform is like.
For more information and impartial website security advice, please call
020 8068 2583.