WordPress sites that haven't been updated to the most recent version, v4.7.2, released last week, are under attack as four hacking groups are conducting mass defacement campaigns.

According to web security firm Sucuri, who detected the attacks after details of the vulnerability became public last Monday, the attacks have been slowly growing, reaching almost 3,000 defacements per day.

Defacement attempts via REST API flaw over time
Defacement attempts via REST API flaw over time (via Sucuri)

Attackers are exploiting a vulnerability in the WordPress REST API, which the WordPress team fixed almost two weeks ago, but for which they published public details last Monday.

The vulnerability allows a remote attacker to craft an HTTP request that pings a REST API endpoint and alters titles and content on the user's website.

Exploiting the flaw is trivial, and according to Sucuri, a few public exploits have been published online since last week.

Over 67,000 websites defaced already

Even if the vulnerability affects only WordPress 4.7.0 and 4.7.1 and the CMS has a built-in auto-update feature for security issues, many websites haven't been updated.

Based on data collected from Sucuri's honeypot test servers, four attackers have been busy in the past week trying to exploit the flaw.

Group name IP Estimated victims
w4l3XzY3 176.9.36.102
185.116.213.71
134.213.54.163
2a00:1a48:7808:104:9b57:dda6:eb3c:61e1 (IPv6 address)
66,000
Cyb3r-Shia 37.237.192.22 500
By+NeT.Defacer 144.217.81.160 500
By+Hawleri_hacker 144.217.81.160 500

Since the attacks have been going on for some days, Google has already started to index some of these defacements.

Defaced websites indexed by Google
Defaced websites indexed by Google

Currently, the groups using the REST API flaw to deface websites are only doing it for public brand exposure, only altering page titles and their content by adding their own name.

One of the defaced sites
One of the defaced sites

Sucuri's CTO, Daniel Cid, expects to see professional defacers enter the fold, such as SEO spam groups that will utilize the vulnerability to post more complex content, such as links and images.

This types of defacements are used to boost the SEO ranking of other sites or promote shady products. Websites that suffer from SEO-targeted defacements also have their SERP (Search Engine Result Page) indicator affected and risk losing their reputation on search engines, which in turns drives down traffic to their site.

Website owners are advised to update to WordPress 4.7.2. as soon as possible in order to avoid losing visibility on Google due to this REST API security issue.