On January 26, WordPress released a security update (4.7.2) to fix a set of vulnerabilities on its platform, including an SQLi and XSS vulnerability. They recommended that this version be installed immediately for security reasons. What they did not disclose was that a serious vulnerability existed in their REST API endpoint, which was introduced in the 4.7 version; however, this was fixed in version 4.7.2.
WordPress released a blog post on February 1 that revealed the endpoint vulnerability. The announcement was initially delayed because they needed to inform security companies about the vulnerability, as well as help them build rules to block these attacks. This would prevent the numerous attacks that typically follow a disclosure. Kudos to the WordPress team for taking immediate action on a serious issue.
Zero-day vulnerabilities like this always lead to major problems. While the security release has been out for some time now, and WordPress has an automatic update feature, many sites are still not updated. The repercussions are dire: defacements and site takeovers have taken place all around the world. According to Softpedia, the number now stands at one million sites!
Web applications are among the biggest targets for malicious hackers. Small to mid-sized businesses can be held for ransom, and websites can be used to host malware or to perform attacks on other sites or networks. Keeping up with vulnerabilities and patches is challenging and time-consuming, even for dedicated IT teams.
Fortunately, there’s an easy solution. The Barracuda Web Application Firewall provides complete protection against all attacks against web, mobile, and API- based applications—even against zero-day threats. In the case of WordPress, the built-in WordPress template on the Barracuda Web Application Firewall walks you through the configuration to set up and protect your site. The template is built based on our continuing research into WordPress vulnerabilities, and ensures comprehensive protection against all threats.
Unlike many other web application firewalls, the Barracuda Web Application Firewall is easy to set up and configure. It can even automate remediation of vulnerabilities with the Barracuda Vulnerability Remediation Service. The Barracuda Web Application Firewall also provides complete security against all web attacks (pdf), including application DDoS and Web Scraping.
Deployment options include physical and virtual appliances as well as cloud deployments on AWS and Azure.
Focus more on your business and less about web-based threats—try the Barracuda Web Application Firewall in your environment for 30 days, risk-free.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.