Ahhh, yes, thanks. I'd already updated, but i'm sure many will just forget.
Don't forget to update plugins at the same time.

Were also hit yesterday and updated WordPress the first thing after.

You can use .htaccess to block a lot of the bots that are looking for wordpress vulnerablities. If done properly, it can't do any harm, and might save you some future grief

Aristotle, I use WordFence, which, at least in theory, should block computers getting more than a specified number of 404 errors (I set it to 2). But of course, bot networks constantly change IPs and if I do have the plugin or file, there will be no 404 at all. I would be very interested in your .htacess solution and the logic it uses for blocking.

ambt -- Actually I don't use Wordpress for my sites, but I see a lot of bots in the logs that try to access wordpress files looking for vulnerabilities. On my sites they always get either 403s or 404s

I don't know much about Wordfence, but from your description, what you're doing with it sounds like a good strategy.

Anyway, here's some of the code I use in my .htaccess for defending my sites:

# BLOCK FILES
<FilesMatch "^(wp-config.php|update.php|xmlrpc.php|wp-login.php|license.txt)"> 
 Order allow,deny
 Deny from all
 Satisfy All
</FilesMatch>

# BLOCK BLANK USER AGENTS
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^ - [F]

I didn't write any of that code myself -- It's mostly standard code that is commonly used and easy to find by searching. If you like, you can add additional files to the "Block Files" section.

ambt -- Oops I might have made a bad suggestion. Before you change anything in .htaccess, you want to be sure that you don't accidentally block yourself from parts of your own site.

Here is a link to a Sucuri article [blog.sucuri.net] on this topic. This is serious. Take a moment to verify you're all patched up to version 4.72 of WP.

Security Risk: Severe
Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Content Injection
Patched Version: 4.7.2

Some are saying it might not be enough to patch WP to 4.72. Thus, there are plug-ins that go beyond the patch by disabling REST-API to users who are not logged in admins. Anyone know if this is necessary? Here is a link to a plug-in to disable REST-API [wordpress.org] to Non-Admins. Is this plug-in necessary?

Very important: Read the Sucuri WordPress Content Injection article here. [blog.sucuri.net]

Thanks, Aristotle. If you don't use WordPress and you block everyone who tries to access typical WP pages, it makes sense.
I renamed my wp-login page and switched of rpc, and everyone who tries to access this page or xmlrpc.php is immediately redirected to some Chinese site.

>> immediately redirected to some Chinese site. <<

Ah! This is why I get surge of traffic sometimes :-)

By the way, why is it posted in the Google forum ?

I renamed my wp-login page

That might be risky, because future Wordpress updates might want to make changes to that file and wouldn't know that the name has been changed.

I just use a captcha on the login page. It doesn't show for me but seems to discourage the bots.

I really appreciate the heads up. I was hit with tim thumb hell in the past. This type of situation always begs the question. Are so many updates crucial to Wordpress? Update, roll the dice, update, roll the dice...

It's suggested that over 1.5 million sites that failed to update when this was released have been defaced.

Yup, it's pretty severe and relatively handsfree easy for the script to attack any unupdated site. Given the speed and intensity at how fast the exploit is spreading and hitting sites, which is why I initially posted it in Google SEO trying to get more attention it deserved.

At least the script being around only attacks and defaces the latest post. Perhaps a few permutations later there will be one that defaces the entire site (I believe the initial findings suggest that the exploit has the capability to alter any posts), then that'll be a bitch to fix.

Reading this title confused me a bit.

You mean, make sure to upgrade from 4.7.1 to the latest version 4.7.2. because of the mentioned exploit, correct? Not a downgrade?

Upgrade "to" the latest version of 4.7.2.

It's easy to see some of the sites that got hit. Just search "hacked by" and set the time frame to like 24 hours and it's still ongoing.

I received nag upgrade messages from my host provider and Google to upgrade, but i had already done it. This was the first time from Google. I was surprised.

I ended up just recently creating a new Wordpress site and rather than worry about upgrading several other sites with older versions I just rolled them all together on the new site... Appropriate redirects from old to new...