WordPress’ pingback function can be abused to mount a denial of service (DoS) attack on blogs without their owners noticing, Germany’s Heise IT website reports. It is unlikely that the problem will be remedied with an update.
Security company Sucuri reports on an attack on one WordPress installation in which more than 162,000 other WordPress sites were misused as a DDoS platform. In this instance the attacker used the software’s pingback function in order to cripple the target website. With a pingback, one WordPress site can notify another that it has quoted its blog post.
The attack works in such a manner that an attacker searches for a legitimate blog which has pingback activated (currently the default configuration for new WordPress installations) and then simulate a pingback from the victim’s site. The victim’s blog then queries the victim for the post which was quoted in the faked pingback. If the attacker does this with many sites, the flood of traffic is difficult for the target site to black as the queries look completely legitimate and originate from trustworthy sources.
In the attack observed by Sucuri randomly generated URLs were quoted in the fake pingbacks for the victim’s ostensible posts. This results in WordPress’ caching mechanism does not take effect and the web server is so overloaded since the database must attempt to deliver the supposed posts for each request. Of course, in reality the server just serves up 404 error pages, since there are no pages for the random URLs. Nevertheless, if there are many such requests, this is sufficient to cripple the WordPress installation’s database. On Unix and Linux systems such an attack can be launched very simply by using the curl command on the command line.
As the attack is misusing the ordinary working of the pingback function, it cannot be assumed that WordPress developers are going to do something about the problem. Site owners can prevent their blog being miused in this way by deactivating their installation’s pingback functions. Sucuri itself is proposing source code for a WordPress plug-in which should block the attacks, as follows:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
Use Sicuri’s WordPress DDoS Scanner to check if your site is being used for launching such attacks on other websites.