Categories: SecurityWorkspace

Over 160,000 WordPress Sites Used In DDoS Attacks

Online criminals have leveraged a feature used by more than 162,000 WordPress sites to launch a large distributed denial of service (DDoS) attack.

They took advantage of Pingback, which seeks a file known as XML-RPC, a remote procedure call protocol that uses XML to encode its calls and HTTP to take it over the Internet. As that responds with a decent level of traffic, it makes for a handy amplifier.

DDoS over WordPress

Security firm Sucuri, which detected the attack, did not fully explain how the anonymous target was knocked offline. It’s likely this was a typical amplification DDoS, where the attacker spoofed the IP address of the target, sent out Pingbacks to the thousands of WordPress sites that had the feature switched on, which subsequently sent large volumes of traffic to the victim, which was also a WordPress site.

“Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Sucuri said in a blog post.

“Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.

“This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma.”

WordPress users who don’t want to be part of these attacks can either add a plugin that includes a preventative filter, or disable the feature altogether.

Attackers are leveraging a wide range of amplifiers, including age-old protocols like the Network Timing Protocol, which can produce epic traffic from small requests.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I knew pingbacks were a bad idea, but I thought they were just a variation on spam.This is a lot worse.

    Dave

  • WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
    Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
    We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. Details: http://www.cloudways.com/blog/ddos-attacks-wordpress-security/

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

17 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

18 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

19 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago