Cyber Attacks Utilise the Pingback Function in 26,000 WordPress Websites

There have been reports this week from researchers at Sucuri of a number of cyber crime incidents that have used a huge network of 26,000 WordPress websites to launch multiple Layer 7 (also known as flood) Denial of Service (DoS) attacks.

A Denial of Service (DoS) attack is one where the perpetrator uses multiple compromised systems that are often infected with a Trojan virus to launch a single attack on one system. A Layer 7 or flood is where the server that is being attacked is disrupted because its resources and memory are overloaded.

WordPress Most Attacked CMS

The significance of this attack is that WordPress websites appear to have a vulnerability in them that allows them to be used by cyber criminals to attack other websites. According to Imperva’s 2015 annual Web Application Attack Report (WAAR) WordPress is now thought to be the most attacked CMS with around 3.5. times more attacks than non-CMS applications. Only last year for example thousands of WordPress sites were attacked or hijacked using malicious ‘Nutrino Exploit Kit’ code. The apparent vulnerability of WordPress to attack is a particularly worrying situation when you consider that WordPress now makes up 25% of all websites.

Popular Attack Against WordPress

The most recent DoS attack is the most popular kind that is used against WordPress, and is estimated to make up around 13% of all the attacks involving the system. In this most recent example the perpetrators used a series of IP addresses (in the 185.130.5.0/24 range) to control the botnet of WordPress sites. The 26,000 WordPress websites were then used by the attacker to generate 10,000 to 11,000 HTTPS requests per second against one website. When subjected to a flood of requests of this kind servers are unable to handle the load, a large consumption of memory is caused, and the operation of the server is therefore seriously disrupted.

Some Protection Was In Place

The frequency of this kind of attack against WordPress has meant that the system had an IP logging feature added to its version 3.9 to enable the IP address where ‘pingback’ requests originated to be noted. This should mean that the attacker’s IP shows in the log user agent. In this most recent case however the perpetrators were able to carry out an attack despite the logging feature being in place.

What Can You Do To Protect Your Website?

If you have a WordPress website for your business one step that you can take to prevent it being used as part of a larger attack against other sites is to disable pingbacks. It is the pingback element of WordPress that has repeatedly been responsible for so many of the attacks.