Millions of WordPress sites used in the recent DDoS Attacks

May 3, 2013 in Blog by


Distributed Denial of Service attacks have increased in scale, intensity and frequency. There are wide range of motives for these attacks criminal, political, or social makes every company or organization with an online presence a potential target.

Couple of days ago a unique DDoS attack against a large gaming website was detected. Hackers where using thousands of legitimate WordPress blogs without the need for them to be compromised.

Incapsula released the list of “approximately 2,500 WordPress sites” from where the attack was originated, including some very large sites like, and

The attack makes uses of a PINGBACK feature in the WordPress which allows the author of one blog to send a ‘ping’ to a post on another blog to notify it that it has been referenced.

It turns out that most WordPress sites are sensitive to this abuse since this feature is enabled by default and there is no protection mechanism within WordPress against it.

The Pingback mechanism has been known to be a security risk for some time. Late last year a similar vulnerability was discovered that could turn third party blogs into a powerful port-scanning engine.

How to protect your WordPress website?

To do it yourself, log into your web hosting control panel (cPanel, H-Sphere, Plesk, etc) and delete or rename xmlrpc.php in the root directory of your WordPress installation.

WARNING! You should take this step only if you have no need for remote-posting, pingbacks or trackbacks!

About Milan

The founder of Dessky, Milan has worked in all aspects of advanced web development, from building large commercialized e-commerce and social network systems to troubleshooting small wordpress blogs. His extensive skills cover virtually every area of web development. Milan works hard to implement tomorrow’s trends utilizing the cutting edge systems of today. He specializes in rich internet web application development and deployment, complex HTML5/CSS3 graphical design layouts, full blown framework-driven rich internet applications, and much more. Milan provides elegant solutions to complex problems encountered by businesses that use internet based services. Also he is the Graduated Engineer of both Computer Science and Information Technology.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)

2 responses to Millions of WordPress sites used in the recent DDoS Attacks

  1. Linda Danielis says:

    Does this mean that the pingomatic service on wordpress will no longer work and that other ping lists should not be subscribed to?

    • Milan says:

      Hi Linda, you should delete or rename xmlrpc.php only if you have no need for remote-posting, pingbacks or trackbacks.

Leave a Reply

Your email address will not be published. Required fields are marked *