Wordpress Vulnerability

Amp34 · 10 Feb 2017 at 23:45

http://www.bbc.co.uk/news/technology-38930428

I just saw the article about the major Wordpress vulnerability and it seems my site was affected. One of the most recent posts was hijacked and replaced with a Viagra spam post. I've restored the original post back (and obviously updated Wordpress) but was wondering what else I should be checking, as neither the news article or Wordpress update overview mentioned anything.

Is the exploit an SQL injection, and in which case should all account passwords etc be changed? Should I be looking for bad plugins etc?

Also an FYI for those with Wordpress sites that haven't been updated in the last week or two.

touch · 11 Feb 2017 at 00:06

It's not an SQL injection attack and it doesn't require any user credentials. Updating core should be enough to fix it.

It was a problem in the new api which allowed unregistered users to bypass the authorisation check and use the edit post method. All they could do was edit pages or posts and there's not a huge amount you can do from there to get further but in some cases is possible (some plugins might give options for executing further php code)

Amp34 · 11 Feb 2017 at 00:53

Ok, great. So other than the changed post there's nothing else I really need to check..

antijoke · 11 Feb 2017 at 10:25

No just update to the latest version the exploit was in 4.7.1 and 4.7.0. But is fixed in 4.7.2.

Rich · 11 Feb 2017 at 11:24

Moving forward, you should also ensure any word press plugins that you use are up to date, as these can often have serious vulnerabilities in them.

You could also check out wpscan - https://wpscan.org.

That will tell you if there are any other outstanding problems. I recommend regularly updated and re-running it.

Amp34 · 12 Feb 2017 at 04:13

I keep my stuff up to date, usually updating every week or two. Unfortunately this was only patched on the 29th and I updated on the 10th. The post was modified on the 6th! There is no way to auto update anything is there?

touch · 12 Feb 2017 at 16:57

It should auto-update by default.
You have to go to settings > disable updates to turn it off

Amp34 · 12 Feb 2017 at 17:50

Hmm. Interesting. It's not something I would usually turn off so mine obviously wasn't on by default. I'll have a look and see if I can make it update by default. Thanks.

Edit: there isn't anything in settings, looks like I'm going to need to edit the php file to allow updates.

touch · 12 Feb 2017 at 20:36

That's odd - automatic updates were introduced a while ago (3.7, I think).
Maybe the option has moved or i've remembered it wrong? but there certainly inst any need to edit any code to enable it.

This is for wordpress core, not auto-update of plugins.

this_is_gav · 13 Feb 2017 at 09:13

touch;30497132 said:
That's odd - automatic updates were introduced a while ago (3.7, I think).
Maybe the option has moved or i've remembered it wrong? but there certainly inst any need to edit any code to enable it.

This is for wordpress core, not auto-update of plugins.

I don't think it auto-updates 0.1 updates, just 0.0.1

So I don't think Wordpress will automatically update from version 4.6 to 4.7, but it would upgrade 4.7.1 to 4.7.2.

I've looked back through my emails and I've never had a 0.1 update automatically, just a 0.0.1. Perhaps it would upgrade automatically but there is a delay for 0.1 upgrades to allow devs debugging time?

Edit: The options are in the wp-config.php settings: https://codex.wordpress.org/Configuring_Automatic_Background_Updates

Cromulent · 15 Feb 2017 at 09:46

touch said:
It should auto-update by default.
You have to go to settings > disable updates to turn it off

Any decent Wordpress admin will change the permissions on the Wordpress install to stop the HTTP server being able to write to the Wordpress directory which automatically disables the auto update feature. Having your HTTP server being able to write to the file system is just asking for your site to be hacked. Just log into your Wordpress site once a day to see if an update is available and if it is manually update. Nice and easy.

touch · 15 Feb 2017 at 10:03

Cromulent said:
Any decent Wordpress admin will change the permissions on the Wordpress install to stop the HTTP server being able to write to the Wordpress directory which automatically disables the auto update feature. Having your HTTP server being able to write to the file system is just asking for your site to be hacked. Just log into your Wordpress site once a day to see if an update is available and if it is manually update. Nice and easy.

I agree - that's the best way to do it.
Even with the permissions set like this, it doesn't disable the auto-update (it just fails when trying to update) so I dont know why Amp's install isn't doing auto-updates. To turn it off you need to add the option to the config file as someone else said, not in the settings page like I said.