How we have protected GovPress sites from the WordPress REST API vulnerability
A large number of WordPress sites will have been defaced as a result of a recently disclosed vulnerability in the REST API. Fortunately this did not affect sites hosted with dxw as proactive steps had already been taken to secure client sites.
Two weeks ago, the WordPress security team told us and a number of other hosting companies about a critical vulnerability in the WordPress REST API which would be fixed in a forthcoming security release.
We took the immediate step of adding in a level of additional logging for REST API requests and checking the logs for any that seemed unusual. We then whitelisted legitimate API requests and temporarily blacklisted all API requests that might have been vulnerable to the exploit.
WordPress 4.7.2 was released on Thursday January 26th at around 19:30, and all fully managed sites were updated before 22:00 (and the self-managed clients contacted to urge updates).
We continued to monitor the REST API traffic and saw no unusual requests between the update and the public disclosure of the vulnerability on the following Wednesday.
Beginning on Saturday 4th we began to see malicious attempts to alter website content. Fortunately by this point all public sites had been updated, therefore on Monday 6th February we restored access to the REST API. We have now switched to logging the malicious traffic and automatically blocking sources of excessive attempts.
While our normal policy with security-sensitive features is to disable them by default and enable when needed, the WordPress REST API is going to end up being more tightly integrated with site administration and future plugins, so will likely need to be available in the future. We will continue to make any enhancements to GovPress we can to ensure that the REST API operates as securely as possible on the sites we host.
We’re grateful to the WordPress security team for including us in their advance notice of the issue, which allowed us to act quickly to mitigate it.