WordPress 4.7.1 Vulnerability Hacked By SA3D HaCk3
Recently one of my clients had two of their wordpress websites hacked. The main evidence were two posts added to the blogs with a title either ‘Hacked By SA3D HaCk3’ or ‘Hacked by Xurupitas Farm’.
After doing my research on Google I found that the reason was a vulnerability in 4.7.1 release of WordPress. So users who failed to upgrade from 4.7.1. to 4.7.2 suffered from the vulnerability in WP_Query. Although the Worspress Core is not endangered, some themes and plugins could be susceptible to a SQL injection (SQLi) when passing unsafe data. This issue was fixed in 4.7.2 version.
What did the hackers Add To The Blogs
After deleting the injected posts, I looked into the wordpress databases for more clues and did find some revisions of the aforementioned posts, but anything else.
The moral of this story for me is to bring attention to our customers for the need to update core software and plugins regularly. Additionally, automatic background updates are very useful in promoting better security. One approach for this is to add a statement enabling core upgrade in the WordPress config file wp-config.php
Configuration of wp-config.php
Using wp-config one can completely disable Worpress core
define( 'AUTOMATIC_UPDATER_DISABLED', true );
or fine-tune the way core will update in future.
define( 'WP_AUTO_UPDATE_CORE', true );
In the above statement we can have three values.
True- the core will always update, even in major upgrades
False- the core will never update
Minor- Only minor updates will be executed