feeding frenzy with geese and swans
Some WordPress users claim a decision to delay disclosure of a security issue opened the door to hackers. PHOTO: Patryk Sobczak

You can urge WordPress users to keep the platform software up-to-date. But like that proverbial horse and his drink of water, you can't make them do it.

So the news that hackers have been having what one expert described as a "feeding frenzy" on WordPress sites should really come as no surprise. We have all been here before, lamenting vulnerabilities in the world's most popular content management system.

The question this time is whether WordPress acted in the most responsible way to warn its customers about a potentially critical vulnerability. As it stands, its actions are generating a lot of debate.

WordPress Déjà Vu

Anyway, if your business hasn't upgraded to the latest version of WordPress it is now a sitting digital duck for an ongoing wave of cyberattacks. Reports indicate as many as two million web pages on WordPress websites have been defaced in the past three weeks.

According to Mark Maunder, CEO and founder of Wordfence, a Seattle startup that makes a firewall and malware scan for WordPress, the latest incident is just like the previous WordPress attacks ... largely the result of a failure of users to upgrade.

WordPress 4.7.2, a security release for all previous versions, was released late last month. Version 4.7.2 contained a patch for a vulnerability that allows hackers to attack and alter content on WordPress websites. But that's where things get complicated.

WordPress Makes Partial Disclosure

On a Jan. 26 blog post on WordPress.org, Aaron D. Campbell, team lead of the WordPress Security Team and a WordPress Core Contributor at GoDaddy, announced the update. He "strongly" encouraged users to update their sites "immediately," citing three specific site vulnerabilities.

On Feb. 1, Campbell acknowledged WordPress 4.7 and 4.7.1 "had one additional vulnerability for which disclosure was delayed." WordPress "intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," he explained. Sucuri notified WordPress Jan. 20 that one of their security researchers, Marc-Alexandre Montpas, has discovered the vulnerability. Campbell continued:

"The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed. Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri."

Campbell said WordPress "made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public."

Second Guessing the WordPress Strategy

WordPress earned both admiration and anger for the way it handled the vulnerability.

Maunder, writing in a Feb. 6 blog post, noted the initially undisclosed vulnerability "resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites. During the past 48 hours, we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.”

"The attackers using the REST-API exploit are defacing websites by leaving their own signature on a defaced WordPress page. We are currently tracking 20 different defacement campaigns," he continued.

In all cases where sites were successfully attacked, the owners had not updated to the new WordPress version or installed an effective security wall against this vulnerability.

Maunder also pointed out in a follow-up post on Feb.10 that he total number of defaced pages for all the attacks as indexed by Google grew from 1,496,020 to 1,893,690 in one 24-hour period — a 26 percent increase.

The decision to withhold information was soundly criticized by German online magazine Heise.de, which said WordPress deliberately downplayed a serious situation. In the story (translated from German), author Fabian A. Scherschel noted:

"The sufferers are, above all, the WordPress users, who have not activated the auto-update function of the CMS for various reasons - for example because they are not compatible with the configuration of their web host. For the future, this means that WordPress users will no longer be able to rely on assessing the priority of developers' updates and installing all updates as quickly as possible. If possible, auto-updates should be enabled."

However you feel about the way WordPress handled the issue, the message is clear: The safest thing to do is continually update your sites.