Oops, made the unforgivable error of NOT updating WordPress which allowed a hacker to inject content directly into a couple of WordPress Posts on my very old Free Recipe site!!!!
You can see in the screenshot below, there’s two posts that aren’t recipes:
- Watch Logan (2017) Full Movie Online Streaming & Download
- The Best Online Pharmacy. Buy Cialis Without Prescription – Orders-Cialis.info
WordPress REST-API Exploit
A hacker had used the WordPress REST-API Exploit to change the content of two Posts (both originally food recipes).
Over 15 years experience building and securing sites and I get hacked with a basic WordPress exploit that has a patch!
In my defence I run about 80 domains using WordPress with most added to a small number WordPress domain mapped installs (means I can update 30ish WordPress sites in a few clicks) and have them ALL set to auto update. In theory this means I don’t NEED to update WordPress regularly (used to be a case every minor update required manual action). With WordPress auto update active, security fixes are automatically patched so though you should update every major release, you don’t absolutely have to on the day of release (I try to get it done within a month of a major release).
However, I’d forgot two of my domains are so old and have been passed from various servers (over a dozen) the auto update feature doesn’t work: still have to manually add the FTP details to update (must fix this ASAP).
Anyway, I moved my sites to a new server about 6 months ago, made sure everything was up to day (WordPress 4.7 was latest release) and left them to auto update until WordPress 4.8 is released (which is now) where I’d update them all manually again (click the update button in WordPress). This means all but two of my sites were getting the WordPress ‘minor’ auto updates, including security fixes.
One site that wasn’t getting the auto updates was being worked on regularly, so as WordPress needed a manual minor update I updated it. That domain wasn’t compromised by the WordPress REST-API exploit.
The remaining domain that wouldn’t auto update (the recipe site) hasn’t been modified in years (not very important, makes a few thousand dollars a year, so just leave it alone) and that was stuck at WordPress 4.7 until earlier today and that was hit with the WordPress REST-API exploit. DOH!!!
Was an easy fix. Since I’d not updated the content in years I used an old backup (pre WordPress 4.7.0) to restore the site. Changed the password on the virtualserver, changed the WordPress password, updated WordPress (manually) to WordPress 4.8.0 and the site is now back to normal without the exploit or hacked content.
Moral of the story, make regular backups and make sure WordPress is kept up to date and don’t assume auto update is working.