Hackers trick 162,000 unsuspecting WordPress sites into launching DDoS attack


WordPressIf you’re a bad guy wanting to blast a website off the internet, the obvious method is to use a distributed denial-of-service (DDoS) attack.

DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular site. The victim site can’t cope with the barrage, and - unless properly prepared - falls over.

Many sites would have the same problem if hordes of Justin Bieber fans all clicked on a link he had tweeted at the same time.

But what if you don’t have access to a botnet of compromised computers, or can’t talk Justin Bieber into tweeting a URL of your choosing?

Well, maybe you’ll take advantage of the millions of unsuspecting websites out there running WordPress.

Sucuri has blogged this week about a DDoS attack which brought down a website, after over 162,000 websites running WordPress were all tricked into sending it unwanted traffic.

Sucuri blog post

The attack relied upon Pingbacks - a feature of WordPress that allows a site running WordPress to inform other sites when you write a blog post linking to them.

But the WordPress sites were not hacked or compromised. Instead, through use of a simple UNIX command line, a remote hacker could tell one website to send an HTTP request to the target site, via the Pingback feature.

Pingback is enabled by default on WordPress sites, meaning that the vast majority of websites running the software could probably be recruited into a DDoS attack without their knowledge.

Here’s a natty graphic from the folks at Incapsula, showing how attackers can exploit WordPress’s Pingback feature to launch a DDoS attack.

Pingback DDoS attack

In a similar attack last year, Incapsula described how hackers had exploited the same trick on approximately 2500 WordPress websites, including ones run by Trend Micro, Gizmodo and Zendesk.

At the time, Incapsula issued a chilling warning:

This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.

Clearly things haven’t changed much in the intervening year, and there are still plenty of WordPress sites out there which could be easily recruited into criminal DDoS attacks.

If you administer a self-hosted WordPress site then read Sucuri’s blog for advice on how to best ensure that your website isn’t aiding a DDoS attack.

Tags: ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


One Response

  1. Eddie Mayan

    May 22, 2014 at 12:28 pm #

    WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
    Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
    We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. Details: http://www.cloudways.com/blog/ddos-attacks-wordpress-security/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.