February 2017. Hundreds of thousands of WordPress sites worldwide wake up with their content replaced.
Political messages, Arabic slogans, pages of Italian companies turned into manifestos. They hadn't been hacked one by one — it was an automated attack exploiting a single vulnerability in the WordPress API. Anyone who hadn't updated to version 4.7.2 was exposed. And most sites hadn't updated.
Nine years later, the script is the same. The vector changes, not the problem.
The CMS nobody knows but everyone uses
WordPress powers over 43% of websites worldwide. It's the default choice for anyone who wants a website without knowing how to code, for SMEs that want to manage content themselves, for anyone with a limited budget who wants something that works.
The problem is that this ease comes at a price. WordPress is cybercriminals' number one target — not because it's poorly written, but because it's everywhere. An exploit that works on 43% of the web is a profitable investment.
In Italy in 2025 there were over 116,000 cyberattacks — one every five minutes, with a frequency 17% higher than the global average. And ransomware increased by 48% compared to the previous year. These aren't abstract numbers: they're blocked sites, exfiltrated data, companies at a standstill.
How a WordPress attack works
You don't need a genius hacker. You need a script and a list of unpatched WordPress sites.
The most common attacks always follow the same logic: automated scanning of thousands of domains → identification of WordPress version and installed plugins → exploitation of known vulnerability → access, defacement or malware installation.
The REST API — the tool that allows WordPress to communicate with external apps through GET and POST requests — has been one of the main vectors. In 2017 the bug was in authentication: a malformed request was enough to modify any page on the site without credentials. Today that specific vulnerability is fixed, but the principle still holds: every exposed endpoint that isn't needed is an open door.
The real problem isn't WordPress. It's you not updating.
90% of compromised WordPress installations I've seen had at least one of these three problems:
Unpatched plugins. Third-party plugins are the most common vector. A developer abandons the plugin, stops releasing updates, and the vulnerability stays there — in thousands of installations — until someone finds and exploits it. Rule of thumb: if a plugin hasn't been updated in more than six months, find an alternative one that's actively maintained.
Weak credentials. The username "admin" still exists on millions of WordPress installations. The combination admin/admin123 or admin/companyname is the first thing automated scripts try. Change the username, use a long password, enable two-factor authentication.
WordPress core not updated. Security patches are released for a reason. Every unpatched version is a known vulnerability, documented, with publicly available exploits. Not updating for fear of breaking something is understandable — but it's a risky choice that needs to be managed, not ignored.
Five things to do right now
1. Update everything. Core, plugins, themes. Immediately. If you're afraid of breaking something, make a backup first — but update.
2. Disable the REST API for unauthenticated users. If you don't use external applications that require it, there's no reason it should be accessible to everyone. It can be disabled with a plugin or a few lines in functions.php.
3. Remove plugins you don't use. Every installed plugin — even if disabled — is code on the server. If you don't need it, delete it.
4. Change the login URL. The default /wp-admin address is what all brute force scripts look for first. Moving it to a custom path drastically reduces the noise.
5. Install a security plugin. Wordfence or iThemes Security in their free versions do plenty: firewall, login attempt monitoring, alerts on modified files.
If you manage WordPress for your company
You don't need to become a security expert. You need someone to keep the site updated and alert you if something goes wrong. A compromised site isn't just a reputational damage — it's customer data at risk, potential GDPR penalties, and hours of work to restore everything.
If you don't have anyone doing this, it's time to ask yourself a question.
Original article — February 16, 2017
WordPress attack, content modified on hundreds of thousands of sites
Hundreds of thousands of WordPress sites around the world — many in Italy — found their content replaced. They hadn't been attacked one by one: an exploit in the REST API of WordPress 4.7.0 and 4.7.1 allowed you to modify any page without authentication, through simple POST requests to the /wp-json/wp/v2/posts path.
The patch came out on January 26, 2017 with version 4.7.2. Anyone who hadn't updated was exposed. Most sites hadn't updated.
The messages left by attackers were initially political in nature, but the real risk was more serious: by combining the vulnerability with plugins like Exec-PHP it was possible to execute arbitrary code on the server. The lesson was simple: updating WordPress is not optional.