Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.
A rogues' gallery of sites have been hit by the defacements. They include conservative commentator Glenn Beck's glennbeck.com, Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. At least 19 separate campaigns are participating and, in many cases, competing against each other in the defacements. Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.