Under the right conditions, any WordPress site can be used to launch a denial-of-service (DoS) attack.
The owner of a popular site found this out the hard way when they became the victim of a distributed denial-of-service (DDoS) attack using more than 162,000 legitimate WordPress sites – which took the targeted website down in what is referred to as a HTTP-based (layer 7) distributed flood attack, according to security company Sucuri.
The victim is a client of Sucuri and could not be named.
“Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” Daniel Cid, CTO of Sucuri, wrote in a blog post. “Note that XML-RPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you're likely very fond of.”
In a Tuesday email correspondence, Cid told SCMagazine.com that Sucuri was hired when a DDoS attack, increasing in size as the hours passed, took down the popular website. The targeted site was incidentally a WordPress site, but Cid said that any website can be impacted by this type of flood attack.
“Their goal was to generate enough load on the victim's WordPress site to take it down,” Cid said. “And using random URL's they can do it with just a few hundred HTTP requests per second on an average site. This one was over a few thousands HTTP requests per second.”
The client told Sucuri that the attacker was a rival, but Cid said he could not confirm it because the source of the attacks was hidden behind all the WordPress sites. Cid added that the more than 162,000 WordPress sites launching the attack were located around the globe, with most in the U.S., and across all major hosting companies.
Owners of WordPress sites that are carrying out the layer 7 attacks may not be able to tell, Cid said, explaining proprietors can verify if their site is being misused by looking through logs for any “POST” requests to the XML-RPC file.
If WordPress runners see a pingback to a random URL, they will know their site is carrying out a DoS attack, Cid wrote, explaining that this can be prevented by disabling XML-RPC functionality, adding a bit of code (which is outlined in the blog post), or by enlisting the services of a security group.
“This is a well-known issue within WordPress and the core team is aware of it, it's not something that will be patched though,” Cid wrote. “In many cases this same issue is categorized as a feature, one that many plug-ins use, so in there lies the dilemma.”