Dozens of law firms hacked during WordPress breach

Of the many website owners hacked during the recent WordPress breach, few will be as embarrassed as the dozens of law firms whose blogs were defaced. Like many affected sites, a number found their blogs featuring offensive messages and/or having their content replaced by the message: ‘Hacked by [name]’.

For affected firms, the damage to their reputations through public exposure to a cyber attack could prove costly. Client confidentiality is sacrosanct. Firms aggregate sensitive information and so are high on the target list for organized criminals. As the VP of strategy and market development at Varonis, David Gibson, told legal journal World Trademark Review (WTR):

Having your website defaced isn’t going to make clients feel any better about your data security practices […] Law firm clients will go elsewhere if their firm suffers a data breach of they feel their information is vulnerable, and a website defacement isn’t going to help anyone’s confidence.

Hackers target small firms

For the most part, the WTR reports, it was smaller law firms that were affected – as major companies are less likely to use a free and open-source content management system such as WordPress. WTR’s research suggests that dozens of smaller law firms were attacked, including those specializing in intellectual property law.

How hackers got in

The attack began after a privilege escalation vulnerability affecting WordPress 4.7 and 4.7.1 was disclosed, giving criminal hackers the information they needed to exploit any sites that had not yet been updated to the latest version. Security firm Sucuri, which told WordPress about the vulnerability on January 20, reported that attackers were able to craft simple HTTP requests that allowed them to bypass authentication systems and edit the titles and content of WordPress pages.

A patch was released six days later that included a ‘secret fix’ to the solution, but many sites still did not update to WordPress 4.7.2. For International Investigators Incorporated, a US-based private investigation firm, it took a hacker’s advice to get them to install the update – when their blog was defaced to read “please update your wordpress”.

Mitigate risks

The importance of installing patches as soon as they are released cannot be overstressed – even if you think your website is not likely to be targeted. The fact is that all websites are at risk because criminal hackers do not usually focus on specific sites but use automated attacks to seek known weaknesses in order to steal data.

Verifying that new and existing applications, networks and systems are not exposed to a security risk is also key to addressing these vulnerabilities. Conducting a penetration test can provide a realistic appraisal of the current state of your security and the risks attackers pose to your business.

IT Governance provides a range of penetration testing services. A CREST-accredited company, its services are performed by certified ethical hackers.

To discuss your penetration testing requirements, contact us on 1-877-317-3454 or email us at