Welcome to WebmasterWorld Guest from 54.166.189.88

Forum Moderators: rogerd & travelin cat

Update Your Wordpress to 4.7.2 from 4.7.1

     
9:56 pm on Feb 6, 2017 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Oct 29, 2012
posts:384
votes: 43


Just a little public announcement because a good number of us run WordPress sites. There is a exploit that is being spread that can change content on sites. I think the exploit script distributed only targets the latest post, but one can never be too sure. I was hit.
9:04 am on Feb 7, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24270
votes: 544


Ahhh, yes, thanks. I'd already updated, but i'm sure many will just forget.
Don't forget to update plugins at the same time.
10:26 am on Feb 7, 2017 (gmt 0)

New User

joined:Dec 28, 2016
posts:1
votes: 0


Were also hit yesterday and updated WordPress the first thing after.
11:29 am on Feb 7, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3146
votes: 215


You can use .htaccess to block a lot of the bots that are looking for wordpress vulnerablities. If done properly, it can't do any harm, and might save you some future grief
1:31 pm on Feb 7, 2017 (gmt 0)

New User

joined:Jan 27, 2017
posts:22
votes: 3


Aristotle, I use WordFence, which, at least in theory, should block computers getting more than a specified number of 404 errors (I set it to 2). But of course, bot networks constantly change IPs and if I do have the plugin or file, there will be no 404 at all. I would be very interested in your .htacess solution and the logic it uses for blocking.
1:52 pm on Feb 7, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3146
votes: 215


ambt -- Actually I don't use Wordpress for my sites, but I see a lot of bots in the logs that try to access wordpress files looking for vulnerabilities. On my sites they always get either 403s or 404s

I don't know much about Wordfence, but from your description, what you're doing with it sounds like a good strategy.

Anyway, here's some of the code I use in my .htaccess for defending my sites:
# BLOCK FILES
<FilesMatch "^(wp-config.php|update.php|xmlrpc.php|wp-login.php|license.txt)">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

# BLOCK BLANK USER AGENTS
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^ - [F]

I didn't write any of that code myself -- It's mostly standard code that is commonly used and easy to find by searching. If you like, you can add additional files to the "Block Files" section.
3:21 pm on Feb 7, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3146
votes: 215


ambt -- Oops I might have made a bad suggestion. Before you change anything in .htaccess, you want to be sure that you don't accidentally block yourself from parts of your own site.
3:26 pm on Feb 7, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14482
votes: 330


Here is a link to a Sucuri article [blog.sucuri.net] on this topic. This is serious. Take a moment to verify you're all patched up to version 4.72 of WP.

Security Risk: Severe
Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Content Injection
Patched Version: 4.7.2


Some are saying it might not be enough to patch WP to 4.72. Thus, there are plug-ins that go beyond the patch by disabling REST-API to users who are not logged in admins. Anyone know if this is necessary? Here is a link to a plug-in to disable REST-API [wordpress.org] to Non-Admins. Is this plug-in necessary?

Very important: Read the Sucuri WordPress Content Injection article here. [blog.sucuri.net]
3:30 pm on Feb 7, 2017 (gmt 0)

New User

joined:Jan 27, 2017
posts:22
votes: 3


Thanks, Aristotle. If you don't use WordPress and you block everyone who tries to access typical WP pages, it makes sense.
I renamed my wp-login page and switched of rpc, and everyone who tries to access this page or xmlrpc.php is immediately redirected to some Chinese site.
3:39 pm on Feb 7, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts: 348
votes: 50


>> immediately redirected to some Chinese site. <<

Ah! This is why I get surge of traffic sometimes :-)

By the way, why is it posted in the Google forum ?
5:03 pm on Feb 7, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3146
votes: 215


I renamed my wp-login page

That might be risky, because future Wordpress updates might want to make changes to that file and wouldn't know that the name has been changed.
5:12 pm on Feb 7, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3281
votes: 161


I just use a captcha on the login page. It doesn't show for me but seems to discourage the bots.
8:05 pm on Feb 7, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 5, 2009
posts:1451
votes: 200


I really appreciate the heads up. I was hit with tim thumb hell in the past. This type of situation always begs the question. Are so many updates crucial to Wordpress? Update, roll the dice, update, roll the dice...
4:06 pm on Feb 10, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24270
votes: 544


It's suggested that over 1.5 million sites that failed to update when this was released have been defaced.
6:06 pm on Feb 10, 2017 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Oct 29, 2012
posts:384
votes: 43


Yup, it's pretty severe and relatively handsfree easy for the script to attack any unupdated site. Given the speed and intensity at how fast the exploit is spreading and hitting sites, which is why I initially posted it in Google SEO trying to get more attention it deserved.

At least the script being around only attacks and defaces the latest post. Perhaps a few permutations later there will be one that defaces the entire site (I believe the initial findings suggest that the exploit has the capability to alter any posts), then that'll be a bitch to fix.
7:57 pm on Feb 10, 2017 (gmt 0)

New User

joined:Aug 10, 2016
posts: 16
votes: 3


Reading this title confused me a bit.

You mean, make sure to upgrade from 4.7.1 to the latest version 4.7.2. because of the mentioned exploit, correct? Not a downgrade?
8:48 pm on Feb 10, 2017 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Oct 29, 2012
posts:384
votes: 43


Upgrade "to" the latest version of 4.7.2.

It's easy to see some of the sites that got hit. Just search "hacked by" and set the time frame to like 24 hours and it's still ongoing.
3:29 am on Feb 12, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 81
votes: 4


I received nag upgrade messages from my host provider and Google to upgrade, but i had already done it. This was the first time from Google. I was surprised.
12:23 am on Feb 15, 2017 (gmt 0)

Full Member from US 

10+ Year Member

joined:May 16, 2006
posts: 286
votes: 0


I ended up just recently creating a new Wordpress site and rather than worry about upgrading several other sites with older versions I just rolled them all together on the new site... Appropriate redirects from old to new...