Wordpress Vulnerability Compromises Tens Of Thousands Of Websites

I recently wrote about a zero-day flaw in Wordpress which allowed hackers to bypass the permissions/privilege limitations usually present, in order to view, edit, delete, and create posts on a Wordpress-powered site. 

As is the ‘norm’ with such ‘known vulnerabilities’, Wordpress did not initially disclose the vulnerability publicly, instead choosing to work on a fix with internet security research companies in order to create a patch which was released before disclosing the vulnerability. The downside of this is many users of Wordpress were oblivious to this issue and are yet to update their versions of Wordpress from 4.7.0 or 4.7.1 to the safer 4.7.2.

However, despite the best interests of Wordpress, many admins did not bother to update their websites. Thus leaving themselves open to attack from hackers targeting this vulnerability.

Wordpress has a default enabled feature which automatically updates Wordpress versions, however many Admins (often running critical services) choose to disable this feature in order to test then apply patches as they see fit. 

Many websites were attacked as a result of this, including the Linux Distribution site OpenSUSE, thankfully they responded quickly without a sensitive breach and any damage was swiftly remedied. To date over 66,000+ websites have been compromised by this bug. 

One of the hackers (referred to as a ‘defacer’ elsewhere, I have a few choice names for him/her however), managed to mass desecrate thousands of websites within 48 hours. They seem to be using the following details:

IP Addresses being used: 

  • 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1

Defacer[s] group behind it: by w4l3XzY3.

I would recommend you block these IP addresses, or at least monitor the activity on your websites for suspicious activity. I wouldn’t normally assist in the naming of these hackers/defacers, as it only gives them the notoriety and attention they crave. But in this instance I suppose I should.

There are also two other larger scale hacks being perpetrated by the following:

IP Address: 


Defacer[s] group behind it: Cyb3r-Shia.


IP Address:


Defacer[s] group behind it: By+NeT.Defacer & By+Hawleri_hacker

The last two names both seem to be using the same IP address in order to compromise sites and revel in this. Just block their IP addresses and be vigilant on your website security. Each of the hackers named are both using the same REST API vulnerability.

All these attacks are perpetrated with the aim of SEO spam (Search Engine Optimisation Poisoning), attacks by black hat hacker groups in order to boost their own ranking in search engines and spread spam accordingly. 

It is clear that if you have not updated your website to the latest version of Wordpress (4.7.2), before becoming an easy target to hackers and SEO spam attacks… Now is the time to do so. 

I would also recommend you install a resource-light exploit scanner to notify you of these issues and more. Fixhacked fulfils all of the criteria and our support team are always willing to help you remedy any site damage or bolster your all-around security. 

If you have been hacked as result of this vulnerability, I would recommend that you also take the following steps: 

  1. Download our simple easy to use (really!) exploit scanner from www.fixhacked.com 
  2. Upload this scanner to your Wordpress, it works just like utilising any of your other plugins. Upload and activate. That is all! 
  3. Let us do all the work, by scanning all of your Wordpress files. 
  4. We tell you which files are corrupted and could be further exploited by hackers. Providing you with a solution to any exploitative issues you may have. Helping you to clean these up quickly and efficiently, and advising of any more changes wherever necessary.

It is very simple and should you require any additional help, do not hesitate to ‘Contact Us’.

Until next time.

Try FixHacked for free for one month

Try our free scanner!

Hire an Expert

I need an Expert


Chat with us and find out what you need to know!

Start livechat