Millions of WordPress sites used in the recent DDoS Attacks
Distributed Denial of Service attacks have increased in scale, intensity and frequency. There are wide range of motives for these attacks criminal, political, or social makes every company or organization with an online presence a potential target.
Couple of days ago a unique DDoS attack against a large gaming website was detected. Hackers where using thousands of legitimate WordPress blogs without the need for them to be compromised.
Incapsula released the list of “approximately 2,500 WordPress sites” from where the attack was originated, including some very large sites like Trendmicro.com, Gizmodo.it and Zendesk.com.
The attack makes uses of a PINGBACK feature in the WordPress which allows the author of one blog to send a ‘ping’ to a post on another blog to notify it that it has been referenced.
It turns out that most WordPress sites are sensitive to this abuse since this feature is enabled by default and there is no protection mechanism within WordPress against it.
The Pingback mechanism has been known to be a security risk for some time. Late last year a similar vulnerability was discovered that could turn third party blogs into a powerful port-scanning engine.
How to protect your Wordpress website?
To do it yourself, log into your web hosting control panel (cPanel, H-Sphere, Plesk, etc) and delete or rename xmlrpc.php in the root directory of your WordPress installation.
WARNING! You should take this step only if you have no need for remote-posting, pingbacks or trackbacks!