MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Pingback DDoS and WordPress Security

Published on 08 July 13
810
1
0
Pingback DDoS and WordPress Security - Image 1

For years WordPress served as an undisputed king of all blogging platforms â a title which it still holds today. With over 100,000,000 sites Web-wide, huge following and myriad of plugins, WordPress is one of the most influential web technologies of our time, standing side-by-side with Google, Wikipedia, Facebook and other Internet giants.

Still, as many WordPress users will tell you, the king is not without its faults. The open source origin of WordPress is both its strong point and the source of some of its weaknesses, especially when it comes to security. Even today, with the development methods and quality standards at their highest level, WordPress still cannot resolve all of its vulnerabilities. One reminder came out a few months ago from Incapsula, a cloud security company, which reported about a crucial flaw in WordPress core architecture.

This flaw, which became known as âPingback DDoSâ allowed, easy abuse of one of the platformâs functionalities, turning every WordPress site into potential target for devastating DDoS attacks.

Pingback DDoS Exploit

Pingback is a built-in WordPress functionality, which was originally designed to support cross-referencing between different blogs. However, as Incapsulaâs study shows, this function can also be used for malicious purposes. By creating a fake pingback request to XMLRPC API, an attacker can turn any WordPress site into a voluntary bot that can be used to DDoS other WordPress with HTTP pingback requests.

To achieve this, all an attacker has to do is to distribute XMLRPC pingback requests amongst several WP sites. With just one simple string of code - an example of which is provided below - an attacker can exploit any WP site in matter of seconds, without any hacking skills, coding or privileged access.

curl http://www.example.com/xmlrpc.php -d

'<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>

pingback.ping</methodName><params><param><value>

<string>http://attacked.site.com/link_to_post

</string></value></param><param><value><string>

http://www.example.com/any_blog_post/

</string></value></param></params></methodCall>'

By sending such requests to several hundred or thousands of WP sites, an attacker will create a chain reaction which will â in turn â flood âexample.comâ with HTTP requests, effectively causing a site-crashing denial of service.

What makes this attack stand out is its availability. By Incapsulaâs estimates, the vulnerability exists on most of the 100 million WordPress sites, simply because itâs an integral part of the platformâs core build, a feature turned on by default in all WordPress 3.5 versions.

The original attack, which invited Incapsulaâs attention, demonstrates that better than anything. This attack, which was executed by more than 1000 different WP sites, originated from many prominent domains including ZenDesk, Trendmicro and Gizmodo. In the follow-up report Incapsula showed that the vulnerability exists in 8.49% of all Alexa top 25,000 websites.

Prevention Methods

Pingback DDoS relies on XMLRPC API. By deleting or renaming xmlrpc.php file in the root directory of your WordPress installation you can prevent pingback execution. This will also remove all pingback related functionalities. Alternatively, you can activate Incapsula, which offers protection against wordpress security and other security exploits for all free or paid plan customers.











Pingback DDoS and WordPress Security - Image 1

For years WordPress served as an undisputed king of all blogging platforms â a title which it still holds today. With over 100,000,000 sites Web-wide, huge following and myriad of plugins, WordPress is one of the most influential web technologies of our time, standing side-by-side with Google, Wikipedia, Facebook and other Internet giants.

Still, as many WordPress users will tell you, the king is not without its faults. The open source origin of WordPress is both its strong point and the source of some of its weaknesses, especially when it comes to security. Even today, with the development methods and quality standards at their highest level, WordPress still cannot resolve all of its vulnerabilities. One reminder came out a few months ago from Incapsula, a cloud security company, which reported about a crucial flaw in WordPress core architecture.

This flaw, which became known as âPingback DDoSâ allowed, easy abuse of one of the platformâs functionalities, turning every WordPress site into potential target for devastating DDoS attacks.

Pingback DDoS Exploit

Pingback is a built-in WordPress functionality, which was originally designed to support cross-referencing between different blogs. However, as Incapsulaâs study shows, this function can also be used for malicious purposes. By creating a fake pingback request to XMLRPC API, an attacker can turn any WordPress site into a voluntary bot that can be used to DDoS other WordPress with HTTP pingback requests.

To achieve this, all an attacker has to do is to distribute XMLRPC pingback requests amongst several WP sites. With just one simple string of code - an example of which is provided below - an attacker can exploit any WP site in matter of seconds, without any hacking skills, coding or privileged access.

curl http://www.example.com/xmlrpc.php -d

'

pingback.ping

http://attacked.site.com/link_to_post

http://www.example.com/any_blog_post/

'

By sending such requests to several hundred or thousands of WP sites, an attacker will create a chain reaction which will â in turn â flood âexample.comâ with HTTP requests, effectively causing a site-crashing denial of service.

What makes this attack stand out is its availability. By Incapsulaâs estimates, the vulnerability exists on most of the 100 million WordPress sites, simply because itâs an integral part of the platformâs core build, a feature turned on by default in all WordPress 3.5 versions.

The original attack, which invited Incapsulaâs attention, demonstrates that better than anything. This attack, which was executed by more than 1000 different WP sites, originated from many prominent domains including ZenDesk, Trendmicro and Gizmodo. In the follow-up report Incapsula showed that the vulnerability exists in 8.49% of all Alexa top 25,000 websites.

Prevention Methods

Pingback DDoS relies on XMLRPC API. By deleting or renaming xmlrpc.php file in the root directory of your WordPress installation you can prevent pingback execution. This will also remove all pingback related functionalities. Alternatively, you can activate Incapsula, which offers protection against wordpress security and other security exploits for all free or paid plan customers.

This blog is listed under Open Source , Development & Implementations and IT Security & Architecture Community

View Comment (1)
Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
  1. 22 August 13
    0

    Millions of WordPress websites exploitable for DDoS Attacks. The pingback issue is not solved yet, one of my friend has updated WordPress version to 3.5.2 and yet again his website under attack by pingback DDoS attack. This attacks shows that even after 3.5.2 update pingback DDoS continue to pose a serious problem. If it’s not fixed, this vulnerability will continue to threaten all WordPress users.

    I heard the exploit recommends that WordPress users disable their site’s XML-RPC capability entirely, which can be done by logging into your cPanel instance or accessing your server via SSH and removing or renaming the file named xmlrpc.php.

    Waiting for accepted solution for the same.

You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top