With the recent spike in the number of cyberattacks on websites using the popular web-management platform WordPress, a government-backed IT security agency urged website administrators and managers to patch a vulnerability that allows hackers to deface their sites.
The Information-technology Promotion Agency (IPA) Japan released a warning Monday, calling owners of websites that use the content-management system to update the software to the latest version “immediately” so that their websites can be protected from malevolent attacks.
More than 26 percent of websites on the internet use the open-source platform, including official websites for the Walt Disney Co., Microsoft News Center, and the Indian Prime Minister’s Office, according to WordPress.
IPA warns that software versions 4.7.0 and 4.7.1 contain the vulnerability. WordPress released a software update (wordpress.org/news/2017/01/wordpress-4-7-2-security-release/) on Jan. 26 to patch the breach.
Websites in Japan, including the official website of Olympic minister Tamayo Marukawa, reportedly had fallen victim to attacks.
Marukawa, who serves on the government committee tasked with drafting and implementing cybersecurity strategies, said Monday her official website that logs her activity had been hacked and showed messages such as “HaCkeD By MuhmadEmad” and “KurDish HaCk3rS WaS Here,” according to media reports. The site had been restored by Tuesday.
Other websites, including one run by Ibaraki Prefectural Central Hospital and another for Fukui Prefectural Hospital, were also attacked by hackers.
The Ibaraki hospital detected sections that show the number of patients and seminar information being altered Sunday, said Yuji Uchimura, a hospital official.
The Fukui hospital also found the announcement section of its website had been similarly altered Monday, said Toyomi Otani, an official in charge of the site, adding that the hospital also used WordPress. No personal data have been stolen in these incidents, the hospitals said.
An official at the IPA said Tuesday cyberattacks exploiting WordPress’s security hole have been increasing at a rapid pace for the past several days, although he was unable to confirm the software was the route the hackers used to breach these sites.
IPA official Shohei Daido said the vulnerability was less likely to place personal information stored on a web server at risk because only the appearances of the websites have so far been affected.