News

Published on March 12th, 2014 📆 | 6518 Views ⚑

0

162,000 vulnerable WordPress websites abused to perform DDoS Attack


Text to Speech

DDoS attacks are a growing issue facing by governments and businesses. In a recent attack, thousands of legitimate WordPress websites have been hijacked by hackers, without the need for them to be compromised. Instead, the attackers took advantage of an existing WordPress vulnerability (CVE-2013-0235) - ā€œPingback Denial of Service possibilityā€.

According to security company Sucuri, in a recent amplification attack more than 162,000 legitimate WordPress sites were abused to launch a large-scale ddos attack.

[adsense size='1']

 

The attack exploited an issue with the XML-RPC (XML remote procedure call) of theĀ WordPress,Ā useĀ to provide services such asĀ Pingbacks, trackbacks, which allows anyone to initiate a request from WordPress to an arbitrary site.

 





The functionality should be used to generate cross references between blogs, but it can easily be used for a single machine to originate millions of requests from multiple locations.

"Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,ā€ Sucuri researcherĀ said in the blog post.

The Pingback mechanism has been known to be a security risk for some time. XML-RPC is enabled by default on WordPress and websites with no protection mechanism are vulnerable to this attack.

[adsense size='2']

To stop your WordPress website from being misused, you will need to disable the XML-RPC (Pingback) functionality on your site, but completely disabling XML-RPC itself is unlikely because it’s needed for important features. WordPress administrators can check online WordPress DDOS Scanner toolĀ to find if their blogs are vulnerableĀ or not and if it is, thenĀ a better way to block it is by adding the following code to your theme:
add_filter( ā€˜xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Last year in a series of similar DDoS Attack, more than 10,000 WordPress sites were abused to target Gaming andĀ  Governement Sites.

Tagged with: • • • • •



Comments are closed.