Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Question: Was the new REST API turned on automatically?

I don't use Wordpress, but if the answer is yes then it is completely dumb to increase the attack surface like that.



The new REST API is turned on automatically as of version 4.7.0.

My site was hit, as far as hacks go this one wasn't too bad. They defaced the last post, the solution was to revert to an earlier revision and upgrade WP to version 4.7.2.

If we would have had auto updates enabled then this attack would have been prevented. So the takeway from this is make sure that auto updates are enabled.


Why did you disable auto-updates?


Because updates occasionally break my site


Only security updates (v0.0.X) install automatically. Version change updates (vX.Y.0) always require a site owner to explicitly install them.

If you are doing things in WordPress that break with a security patch, you need to re-examine what it is you're doing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: