Email
Portion of the email sent by Google (via Andrew-Bossola, edited by BC)

For the past few days, Google has been making a lot of webmasters very nervous, as its Google Search Console service, formerly known as Google Webmaster, has been sending out security alerts to people it shouldn't.

These security alerts are related to the recent WordPress 4.7.2 security update, released on January 26, almost two weeks ago.

According to numerous users complaining on the Google Webmaster Central Help Forum, Google has sent out security alerts to WordPress site owners, telling them their website was running an out of date version.

Google alert caused panic among non-technical users

The problem is that many webmasters running up-to-date versions received the alerts, when it was clear they shouldn't have. While many realized there must have been a mistake on Google's part, some webmasters and their customers got alarmed.

"I know I'm on 4.7.2 but worried that Google is making a mistake and might ding us," wrote a webmaster named Sean M. Brown over the weekend, referring to a possible search ranking penalty his site could receive.

Forum post

The problem here is that some webmasters misinterpreted the nature of the email they received, which was only an alert, and not a penalty notification.

"My clients are getting warnings from Google Search console and it's making them nervous. How do I disable that warning or work around it?," wrote another webmaster that figured out the warnings were harmless.

Forum post

The reality is that Google was sending these messages as a courtesy in case website owners forgot to update their sites, and not as an official warning. Google has been sending these alerts since 2009, and has been targeting site owners who deploy popular CMS platforms such as WordPress, Joomla, or Drupal, and who are registered in the Google Search Console.

Yesterday, following a flood of messages on its support forum, a Google spokesperson admitted they will need to work on the alert's wording to make the messages "more accurate and less confusing."

The most likely reason why owners of WordPress 4.7.2 sites received this email is that Google used an older version of their sites to determine the platform's current version.

Unless WordPress webmasters use security plugins that remove a site's WordPress version number, this value is stored in a site's source code as:

Google must have cached an older version of their site where the version number was still 4.7.0 or 4.7.1 to determine who needed to receive a security alert via email.

Attacks on WordPress sites amplify

Webmasters who received Google Search Console alerts that their WordPress website needs to be updated to version 4.7.2 can ignore them if they're already running the latest version.

Webmasters that haven't, need to do so as soon as possible, as WordPress 4.7.2 fixed a serious vulnerability in the WordPress REST API, which affects versions 4.7.0 and 4.7.1, and allows attackers to edit any page's title and content.

During the past week, attackers have leveraged the REST API flaw to deface WordPress sites that have not been updated. There were 67,000 defaced websites available online two days ago, over 100,000 sites yesterday, and over 1.5 million today.

When Google sent out the first alerts, security firms like Sucuri and WordFence were recording the first attempts to exploit the patched flaw, so in the end, Google had the perfect reason to alert Search Console users, albeit it ended up scaring a few webmasters that had done their jobs.