More than 162,000 WordPress sites have been used in a distributed denial-of-service (DDoS) attack after a HTTP-based (layer 7) distributed flood attack was enabled with them.
According to IT security firm Sucuru, any WordPress site with Pingback enabled (which is on by default) can be used in DDoS attacks against other sites. The attack sent hundreds of requests per second to servers from valid and legitimate WordPress sites.
“Is your site attacking others? It might be and you have no idea. To verify, look through your logs for any POST requests to the XML-RPC file, similar to the one below. If you see a pingback to a random URL, you know your site is being misused,” said Daniel Cid in a blogpost.
“This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma.”
Commenting, Sean Power, security operations manager at DOSarrest, said: “The vulnerabilities in old versions of WordPress mean that hackers can exploit them to be used for DDoS attacks. This is nothing new, in fact, it was first recognised back in 2007.
“Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks. The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners. This is a prime example of how users aren’t regularly performing updates to their websites, because if they were, we wouldn’t still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw.”
Tim ‘TK’ Keanini, CTO of Lancope, said: “This is not something that will ever go away – this is the way it is going to be from here on out. These cyber criminals continue to innovate and find vulnerabilities to exploit for their criminal activity. To add to this, we continue to put insecure devices on the internet and with the Internet of Things ramping up, there is just no end to the supply of targets.
“What we need to do is to focus on the precision, timeliness, and leadership through these crises – not the fact that they will just go away. They are here to stay and a part of doing business in the Internet age. When these events happen, what does leadership look like that provides business continuity and restores customer confidence? That is the question we need to be asking because hanging your head in shame does no one any good.”