162,000 vulnerable WordPress websites abused to perform DDoS Attack

DDoS attacks are a growing issue facing by governments and businesses. In a recent attack, thousands of legitimate WordPress websites have been hijacked by hackers, without the need for them to be compromised. Instead, the attackers took advantage of an existing WordPress vulnerability (CVE-2013-0235) - “Pingback Denial of Service possibility”.

According to security company Sucuri, in a recent amplification attack more than 162,000 legitimate Wordpress sites were abused to launch a large-scale distributed denial-of-service (DDoS) attack.

The attack exploited an issue with the XML-RPC (XML remote procedure call) of the WordPress, use to provide services such as Pingbacks, trackbacks, which allows anyone to initiate a request from WordPress to an arbitrary site.

The functionality should be used to generate cross references between blogs, but it can easily be used for a single machine to originate millions of requests from multiple locations.

"Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” Sucuri researcher said in the blog post.

The Pingback mechanism has been known to be a security risk for some time. XML-RPC is enabled by default on WordPress and websites with no protection mechanism are vulnerable to this attack.

To stop your WordPress website from being misused, you will need to disable the XML-RPC (Pingback) functionality on your site, but completely disabling XML-RPC itself is unlikely because it’s needed for important features. Wordpress administrators can check online WordPress DDOS Scanner tool to find if their blogs are vulnerable or not and if it is, then a better way to block it is by adding the following code to your theme:

Last year in a series of similar DDoS attacks, more than 10,000 WordPress sites were abused to target Gaming and Government sites.