WordPress pingback DDoS is back in the news, and it spells trouble for most of the popular content management system’s 100 million sites.
The Return of Pingback DDoS
In mid-march a popular WordPress was suddenly overwhelmed by millions of HTTP requests coming from fellow WordPress sites. The hackers succeeded in bringing down the target WordPress site for several hours.
To engineer this attack, hackers took advantage of the XML-RPC procedure that comes automatically enabled in WordPress 3.6. This procedure sends notifications to other WordPress sites when someone links back to them in WordPress content posts or comments. When used properly XML-RPC contains a variety of useful functions that help boost WordPress sites up Google and other search engine rankings.
Hackers hijacked this procedure by sending pingback requests to thousands harmless WordPress sites, who then unknowingly relayed the requests to a single target server. The requests converged simultaneously; creating a massive DDoS strike that stalled the target server and cost them dearly in terms of dollars and reputation.
XML-RPC DDoS (aka Pingback DDoS) is simple yet devastating, and the fact that it demands a fraction of the computing experience that other DDoS attacks require only makes it more dangerous. The resulting attack, easy to execute as it is, is still strong enough to take down most well-established websites, unless these are protected from layer 7 DDoS attacks. Simply put, Pingback DDoS may be simple, but it can pack a punch.
Despite being discovered back in 2007, WordPress developers have not yet devised a way to maintain pingback, remote access, and other core features included in XML-RPC while preventing hackers from abusing the procedure. WordPress developers claim that XML-RPC is not enough of a threat compared to other more sophisticated DDoS attacks for users to worry. Hacker behavior in the last year, however, provides a less optimistic picture for the future of pingback DDoS and WordPress security.
The March attack was not the first significant pingback DDoS. In July of 2013, DDoS protection service provider Incapsula was the first to record a Pingback DDoS attack on one of their WordPress clients. The attack, that reached 8,000 hits per second, had enough firepower to bring down even large commercial sites. Fortunately the target site was protected, and consequently the attack did not interrupt normal operations.
The attack reported by Incapsula used 50,000 :”bots”, coming from such popular site as Zendesk.com. A year later, in March 2014, another Pingback DDoS attack already employed over 162,000 “bots” to flood another site with malicious DDoS traffic. This escalation demonstrates that hackers are more willing than ever to put time and resources into executing XML-RPC attacks; a portent of more pingback DDoS in the future.
There are many ways to DDoS a site, and pingback is just one of them. A more extensive list of WordPress vulnerabilities can be found here. Find out if XML-RPC is enabled on your WordPress, and take the necessary steps to diminish the chances of abuse from outsiders.
To disable the pingback feature, go to your web hosting control panel and manually rename xmlrpc.php, or simply delete it from your root files. There are many WordPress plugins that will disable or change the XML-RPC on your site, or you can copy code from this guide into your .htaccess file.
Another good solution is to consult a 3rd party protection service to have an expert evaluate the unique vulnerabilities in your website.