A recent change to the default configuration of the WordPress content management system leaves thousands of websites open use by malicious parties to instigate a distributed denial of service attack against innocent sites.
Online security company Incapsula has released details of how it mitigated a DDoS attack against its clients that used the pingback mechanism of WordPress sites to flood target sites with thousands of requests, potentially overwhelming their ability to meet legitimate requests.
According to the report, the attack involved at least 2,500 sites, including sites like trendmicro.com and zendesk.com. Unlike the recent DDoS attacks that used open recursive DNS servers to amplify the amount of data involved, this exploit isn’t capable of significantly amplifying data, but because WordPress is almost ubiquitous and almost all WordPress sites are vulnerable, it wouldn’t take much effort to recruit large numbers of sites for any attack.
Pingbacks are intended to be a mechanism for automatically notifying site owners when another site links to them. When the originating site creates a link, WordPress sends an XML-RPC request to the linked site, which checks that a link exists and records the pingback.
Unfortunately, WordPress does not implement any mechanism for ensuring the validity of the originator of the pingback request, which means that with very little expertise it’s possible to use common networking tools like ‘curl’ to direct a pingback request at a vulnerable WordPress instance and cause it to send out a response to the target site.
Because WordPress is so popular and used by many of the largest sites on the web, the attackers can have their pick of potential attack nodes. Unlike many attacks that rely on a site being compromised before it’s used in a DDoS attack, in this case it is a flaw in WordPress itself that opens it to being drafted as part of a botnet that can knock sites off the Internet.
In order to avoid being used in a DDoS attack, WordPress site owners should disable the pingback mechanism in their blog. The configuration for pingback is located in the ‘Discussion’ section of the WordPress Settings menu.
The company that discovered the exploit recommends that WordPress users disable their site’s XML-RPC capability entirely, which can be done by logging into your cPanel instance or accessing your server via SSH and removing or renaming the file named xmlrpc.php.