WordPress 4.7 Core Update
In late 2016, WordPress released version 4.7 of WordPress Core. Keeping with the WordPress tradition of naming updates after jazz musicians, the new update was named “Vaughan” (after the mid-century singer Sarah Vaughan). Although the update was welcomed with its exciting new features, it soon became the source of many security headaches and long weekends.
Everyday users experienced flashy new options; like a built-in setting for implementing videos as headers, and a CSS editor with live preview. For developers – Vaughn offered something even better: REST API. Developers now had an easy way of pulling just about any content from any WordPress installation, into new applications.
The effort to develop and get REST API functionality into WordPress Core had been a long process. The announcement of its inclusion in 4.7 was cause for celebration.
About a month after the release of Vaughan, Sucuri (a web security company with one of the largest security focused WordPress plugins) detected a vulnerability.
Sucuri reached out to WordPress to let them know about the flaw on Friday, January 20, 2017. WordPress’s security team spent the weekend developing a fix and quietly reaching out to other security platforms to warn them about the bug. The team then contacted WordPress hosts to implement protections.
“While working on WordPress, we discovered a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.”
– Marc-Alexandre Montpas, Sucuri Security Researcher
WordPress Hacking Outbreak
On January 26, 2017, WordPress released version 4.7.2. WordPress feared hackers might take advantage of people who didn’t immediately update their versions, and left out any talk of the major vulnerability in the patch notes. Six days later, on February 1st, Sucuri announced the finding of a “subtle bug” that “allows visitors to edit any post on the site.”
Most WordPress users have auto-updates turned on, making it a non-issue for many. And WordPress had given advance notice of the security platforms. However, attackers eventually started finding their way through. One of those security platforms, WordFence, shared that attackers eventually found a way around their preventative measures. They noted “over 800,000 attacks exploiting this specific vulnerability across the WordPress sites [they] monitor”. These attacks happened in a 48 hour period, a little over a week after the exploit became public.
Most of the attacks simply changed the content of pages on WordPress sites. Many displayed some sort of “hacked by” message, but the exploit allowed for much more.
“Depending on the plugins enabled on the site, even PHP code could be executed very easily,” said Montpas.
It’s estimated that over one and a half million pages were defaced.
Firefly Marketing’s Safety Measures
This story is one of the worst vulnerabilities WordPress has seen. This situation is uncommon, but the message is clear: keep WordPress Core updated. If you host your website with us, you never have to worry about updates. Firefly Marketing keeps WordPress Core updated for you!
WordPress vulnerabilities aren’t the only threat to your website. Here are a few other precautions Firefly Marketing takes to keep your websites safe and secure:
We employ DDoS protection servers to protect against excess and unwanted traffic.
A DDoS attack is when a hacker tries to take a website offline by sending it so much traffic, that it overwhelms the system. Firefly Marketing uses a content delivery network which essentially saves a recent copy of your website on multiple servers that are geographically spread out; therefore, when a server is attacked, traffic is just rerouted to a different server experiencing a lighter load. This system also acts as a middleman and blocks unwanted traffic from getting to your website. When DDoS attacks take your site offline, security expert Rackspace estimates you could be missing out on thousands of dollars of business per hour.
We practice server hardening, in which we implement numerous security controls.
Firefly Marketing follows leading industry standards when configuring our servers. This includes, but is not limited to, using firewalls, SSH key pairs, and intrusion detection. These trusted practices add up to an additional layer of strengthened protection.
We back up your website daily and keep those backups stored safely.
According to MIT, this is probably one of the most important security measures you can take. This is exactly the kind of precaution you would hope to have in place incase of something like a defacement: the ability to restore your website to its pre-hacked state. As always with important electronic data, backups are kept off site, separate from the originals; therfore, in the event of something like a natural disaster your data is still safe!
Enforcing HTTPS and using SSL certificates encrypts data being sent to and from your site.
By applying these security protocols, we are not only protecting your website, we are protecting your customers as well. These practices help keep your website safe from potentially prying eyes, like an untrustworthy public internet connection. Developers at Google claim HTTPS is the future of the web.
Firefly Marketing employs all of these methods and more in an effort to keep your website secure and running efficiently. Added security is just one aspect of our many hosting benefits.
We’re here to help! Firefly is available Monday – Friday, 8 AM CT to 5 PM CT. If you have any questions, comments, or requests you can Tweet us or follow us on Facebook to stay up to date with all our blog posts!