WordPress Comment Hack (CVE-2016-4567)

TL;DR

A specially crafted comment can harm your WordPress site, exploiting a vulnerability in older versions. This guide shows you how to check if you’re affected and how to fix it.

What is CVE-2016-4567?

CVE-2016-4567 is a security flaw found in WordPress versions before 4.5.3. It allows an attacker to inject malicious JavaScript code into comments, which can then be executed by visitors viewing those comments. This could lead to website defacement, stealing user cookies, or redirecting users to harmful sites.

How Can a Comment Harm My Site?

The vulnerability exists because WordPress didn’t properly sanitise certain comment data before displaying it. An attacker can use this to insert JavaScript code that looks harmless but actually does something bad when run in a user’s browser.

Step-by-Step Fix

1. Check Your WordPress Version: The first thing you need to do is find out what version of WordPress you’re running.
   • Log into your WordPress admin area.
   • Go to Dashboard → Updates.
   • If your version is older than 4.5.3, you need to update immediately!
2. Update WordPress: Updating is the easiest and most effective way to fix this vulnerability.
   • On the Updates page (Dashboard → Updates), if an update is available, click the “Update Now” button.
   • WordPress will download and install the latest version automatically.
3. Check for Suspicious Comments: Even after updating, it’s a good idea to check your existing comments for anything unusual.
   • Go to Comments in your WordPress admin area.
   • Look for comments containing JavaScript code (e.g., <script> tags). Be careful – attackers can try to hide the code!
   • Delete any suspicious comments immediately.
4. Scan with a Security Plugin: Consider using a WordPress security plugin like Wordfence, Sucuri Security, or iThemes Security.
   • These plugins can scan your site for malware and other vulnerabilities, including malicious code in comments.
   • Install and activate the plugin of your choice from Plugins → Add New.
   • Follow the plugin’s instructions to run a full site scan.
5. (Advanced) Check .htaccess (If you suspect redirection): If you think users are being redirected, check your .htaccess file.
   • Connect to your server using FTP or a file manager in your hosting control panel.
   • Locate the .htaccess file in your WordPress root directory.
   • Download it and open it in a text editor.
   • Look for any unusual redirects (lines starting with Redirect or RewriteRule). If you find anything suspicious, remove it carefully. Back up the .htaccess file before making changes!

Preventing Future Issues

• Keep WordPress Core Updated: Regularly update WordPress to the latest version as soon as updates are released.
• Update Themes and Plugins: Outdated themes and plugins can also have vulnerabilities. Keep them updated too!
• Use Strong Passwords: Use strong, unique passwords for all your WordPress accounts.
• Limit Comment Access: Consider requiring users to register before commenting or moderating comments manually.