NEW YORK – April 28, 2015 – The WordPress platform is under attack by hackers who inject malicious code onto websites.
The latest zero day attack is impacting WordPress version 4.2 and prior iterations. Klikki Oy, a Finnish company, warns users in a new video to site administrators about the latest vulnerability.
In an attack, hackers attempt to store malicious JavaScript code in WordPress site comments. This code could allow visitors’ usernames and passwords to be sent to the hacker’s website. This type of attack is officially known as a cross-site scripting attack, Forbes.com reports.
However, the attack could harm more than users. If a logged-in administrator visits an infected page, the hacker could change the administrator’s password, create new administrator accounts, and be able to manipulate the account.
“For website [administrators], the advice for now is to disable comments until a fix is released,” according to Forbes.com.
Gary Pendergast from WordPress told Forbes that a fix is on the way. Pendergast recommends site administrators use the Akismet plugin, which is an anti-spam service that will help block attacks.
Also, security researchers at CloudFare are warning WordPress users to beware of malicious e-mails being sent out by hackers trying to direct people to a compromised WordPress site hosted by Bluehost.
WordPress is one of the most popular blogging platforms on the web, used by more than 23 percent of the top 10 million websites, studies show.
Watch the video from Klikki to learn more about the latest website vulnerability:
Source: “WordPress Under Attack as Double Zero-Day Trouble Lands,” Forbes.com (April 27, 2015)