We have recently learned of a serious WordPress vulnerability that allows hackers to delete your post content, deface your blog and change your URLs – the problem has been named the “WordPress defacement vulnerability”. Not only does this hack risk destroying your business reputation, it also damages your onsite SEO. Updating to the latest version of WordPress is highly recommended.
The hack often goes unnoticed on many websites because all the hacker does is edit the content of a post on your website. The post title, content and URL are all changed, usually displaying a simple message, such as “Hacked by XYZ”. In most of the cases we have seen, no real damage has occurred. The first hackers to exploit this seemed to use it only for political propaganda, although in theory the same process could be used to insert links or adverts into content.
This is done by exploiting not one, but three new Cross Site Scripting vulnerabilities in WordPress:
- Cross-site scripting (XSS) via media file metadata.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
Here’s an example which is currently live – note that the URL is /sh-html/ so it is not possible to determine what this page was originally about. WordPress has built-in 301 redirects so the original page will redirect to /sh-html/. Also, the hacker has not only replaced text, but hotlinked an image from wallpaperswide.com.
Who is Affected?
It seems that any website that has failed to patch the vulnerability is at risk. We have seen the hack appear on every type of website, including government owned NHS websites. Sites with firewalls and other security plugins installed have been affected. In fact, Word Fence, which is one of the most trusted WordPress security plugins at the moment, issued their own update to help fix the problem.
Fortunately, only two versions of WordPress carry this vulnerability: 2.7.1 and 2.7.2. These were minor updates, which were released in January 2017. Basically, an error in part of the code opened up a vulnerability that was never previously in WordPress, and hackers soon discovered this and shared the details with each other.
Updating to the latest version, 2.7.3, closes the hole in security. However, just updating will not remove any hacked pages.
Finding Hacked Pages
There are several ways to find hacked pages. To find a simply defacement, just log in to your WordPress site, navigate to the Posts section and then search all posts for “Hacked” – many hackers are eager to advertise that they have hacked a page. Another way is to look through all your posts in the Posts section, and look out for titles that have obviously changed.
You can also search Google for hacked pages by using the site: search command, to see if your site has been indexed for hacked terms. Alternatively, if you have an automated HTML sitemap, just look through the list of posts and you should quickly spot anything that is out of line.
Searching in Google
There are many hacked posts out there already. If you search Google for [site:.uk “hacked by”] you will see results such as these:
How To Recover Your Lost Posts
So long as you have not disabled post revisions, recovering your lost content is easy – just navigate to the post revision page and select the previous version. In all the hacked websites we have seen, the hacked posts actually underwent several changes, presumably by different hackers exploiting the vulnerability.
However, WordPress does not provide a way to revert to the previously used URL. If your URL was automatically created by WordPress, based on the page header / title, then deleting the URL permalink and then updating the post will in most cases recreate the original URL used. If this process does not work, then the only way is to search through your own records, review your pages in Analytics and to see which ones have vanished, or use Google search to find the listed URL for that content.
We cannot emphasise enough how important it is to update your website immediately. If you are running one of the vulnerable versions, hackers can easily delete all your blog content. One page is relatively easy to recover, but if you have hundreds of blog posts removed, you will have a huge task on your hands.
If you are not confident with analysing and fixing your own website, we offer a WordPress management service for just £25 per month. We’ll ensure your website is kept updated, install the latest security plugins and quickly fix any problems that arise so that they have minimal impact on your business.