For years WordPress served as an undisputed king of all blogging platforms - a title which it still holds today. With over 100,000,000 sites Web-wide, huge following and myriad of plugins, WordPress is one of the most influential web technologies of our time, standing side-by-side with Google, Wikipedia, Facebook and other Internet giants.

Still, as many WordPress users will tell you, the king is not without its faults. The open source origin of WordPress is both its strong point and the source of some of its weaknesses, especially when it comes to security. Even today, with the development methods and quality standards at their highest level, WordPress still cannot resolve all of its vulnerabilities. One reminder came out a few months ago from Incapsula, a cloud security company, which reported about a crucial flaw in WordPress core architecture.

This flaw, which became known as ‘Pingback DDoS’ allowed, easy abuse of one of the platform’s functionalities, turning every WordPress site into potential target for devastating DDoS attacks.

Pingback is a built-in WordPress functionality, which was originally designed to support cross-referencing between different blogs. However, as Incapsula’s study shows, this function can also be used for malicious purposes. By creating a fake pingback request to XMLRPC API, an attacker can turn any WordPress site into a voluntary bot that can be used to DDoS other WordPress with HTTP pingback requests.

To achieve this, all an attacker has to do is to distribute XMLRPC pingback requests amongst several WP sites. With just one simple string of code - an example of which is provided below - an attacker can exploit any WP site in matter of seconds, without any hacking skills, coding or privileged access.

curl http://www.example.com/xmlrpc.php -d

'<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>

pingback.ping</methodName><params><param><value>

<string>http://attacked.site.com/link_to_post

</string></value></param><param><value><string>

http://www.example.com/any_blog_post/

</string></value></param></params></methodCall>'

By sending such requests to several hundred or thousands of WP sites, an attacker will create a chain reaction which will - in turn - flood ‘example.com’ with HTTP requests, effectively causing a site-crashing denial of service.

What makes this attack stand out is its availability. By Incapsula’s estimates, the vulnerability exists on most of the 100 million WordPress sites, simply because it’s an integral part of the platform’s core build, a feature turned on by default in all WordPress 3.5 versions.

The original attack, which invited Incapsula’s attention, demonstrates that better than anything. This attack, which was executed by more than 1000 different WP sites, originated from many prominent domains including ZenDesk, Trendmicro and Gizmodo. In the follow-up report Incapsula showed that the vulnerability exists in 8.49% of all Alexa top 25,000 websites.

Pingback DDoS relies on XMLRPC API. By deleting or renaming xmlrpc.php file in the root directory of your WordPress installation you can prevent pingback execution. This will also remove all pingback related functionalities. Alternatively, you can activate Incapsula, which offers protection against wordpress security and other security exploits for all free or paid plan customers.