An estimated 1.5 million of WordPress blogs have been attacked by hackers after discovering a bug in the site’s software.

Initially, hackers were just ‘defacing’ the blogs, but now there are fears they are actually taking over individual websites and running rampant.

Security firm Sucuri identified the vulnerability in an add-on for the WordPress software that was introduced in versions released at the end of 2016.

Sucuri informed WordPress of the flaw on 20 January after they found a “severe” bug.

>See also: Securing your website content management system

“On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed,” it said.

In a blogpost, WordPress said ‘we believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites’.

It did this so it would have time to prompt hosting firms to update their software to a fixed version.

“On Thursday, January 26, we released WordPress 4.7.2 to the world. We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible.”

However, those sites that have not updated are still at risk.

In the last 48 hours there have been “over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor”, according to WordFence founder Mark Maunder while speaking to the Bleeping Computer.

What now?

“Attackers are starting to think of ways to monetise this vulnerability,” wrote Sucuri founder Daniel Cid. “Defacements don’t offer economic returns, so that will likely die soon.”

Sucuri has come up with a quick and efficient fix: take the plugins and unplug them.

>See also: How to build a secure blog

“First of all, if you have any of these plugins, we recommend disabling them. We believe that PHP code should be run within a plugin or theme. It should not be run directly from the posts,” said Cid.

“Second, it seems attackers are starting to think of ways to monetise this vulnerability. Defacements don’t offer economic returns, so that will likely die soon. What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetise – and SPAM SEO / affiliate link / ad injections.”

“We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.”