More than 162,000 WordPress sites used in DDoS attack

Share this article:
DDoS attacks continue to grow in size
More than 162,000 WordPress sites were used in a DDoS attack.

Under the right conditions, any WordPress site can be used to launch a denial-of-service (DoS) attack.

The owner of a popular site found this out the hard way when they became the victim of a distributed denial-of-service (DDoS) attack using more than 162,000 legitimate WordPress sites – which took the targeted website down in what is referred to as a HTTP-based (layer 7) distributed flood attack, according to security company Sucuri.

The victim is a client of Sucuri and could not be named.

“Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” Daniel Cid, CTO of Sucuri, wrote in a blog post. “Note that XML-RPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you're likely very fond of.”

In a Tuesday email correspondence, Cid told SCMagazine.com that Sucuri was hired when a DDoS attack, increasing in size as the hours passed, took down the popular website. The targeted site was incidentally a WordPress site, but Cid said that any website can be impacted by this type of flood attack.

“Their goal was to generate enough load on the victim's WordPress site to take it down,” Cid said. “And using random URL's they can do it with just a few hundred HTTP requests per second on an average site. This one was over a few thousands HTTP requests per second.”

The client told Sucuri that the attacker was a rival, but Cid said he could not confirm it because the source of the attacks was hidden behind all the WordPress sites. Cid added that the more than 162,000 WordPress sites launching the attack were located around the globe, with most in the U.S., and across all major hosting companies.

Owners of WordPress sites that are carrying out the layer 7 attacks may not be able to tell, Cid said, explaining proprietors can verify if their site is being misused by looking through logs for any “POST” requests to the XML-RPC file.

If WordPress runners see a pingback to a random URL, they will know their site is carrying out a DoS attack, Cid wrote, explaining that this can be prevented by disabling XML-RPC functionality, adding a bit of code (which is outlined in the blog post), or by enlisting the services of a security group.

“This is a well-known issue within WordPress and the core team is aware of it, it's not something that will be patched though,” Cid wrote. “In many cases this same issue is categorized as a feature, one that many plug-ins use, so in there lies the dilemma.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.