Hackers trick 162,000 unsuspecting WordPress sites into launching DDoS attack

WordPress If you’re a bad guy wanting to blast a website off the internet, the obvious method is to use a distributed denial-of-service (DDoS) attack.

DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular site. The victim site can’t cope with the barrage, and – unless properly prepared – falls over.

Many sites would have the same problem if hordes of Justin Bieber fans all clicked on a link he had tweeted at the same time.

But what if you don’t have access to a botnet of compromised computers, or can’t talk Justin Bieber into tweeting a URL of your choosing?

Sign up to our free newsletter.
Security news, advice, and tips.

Well, maybe you’ll take advantage of the millions of unsuspecting websites out there running WordPress.

Sucuri has blogged this week about a DDoS attack which brought down a website, after over 162,000 websites running WordPress were all tricked into sending it unwanted traffic.

Sucuri blog post

The attack relied upon Pingbacks – a feature of WordPress that allows a site running WordPress to inform other sites when you write a blog post linking to them.

But the WordPress sites were not hacked or compromised. Instead, through use of a simple UNIX command line, a remote hacker could tell one website to send an HTTP request to the target site, via the Pingback feature.

Pingback is enabled by default on WordPress sites, meaning that the vast majority of websites running the software could probably be recruited into a DDoS attack without their knowledge.

Here’s a natty graphic from the folks at Incapsula, showing how attackers can exploit WordPress’s Pingback feature to launch a DDoS attack.

Pingback DDoS attack

In a similar attack last year, Incapsula described how hackers had exploited the same trick on approximately 2500 WordPress websites, including ones run by Trend Micro, Gizmodo and Zendesk.

At the time, Incapsula issued a chilling warning:

This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.

Clearly things haven’t changed much in the intervening year, and there are still plenty of WordPress sites out there which could be easily recruited into criminal DDoS attacks.

If you administer a self-hosted WordPress site then read Sucuri’s blog for advice on how to best ensure that your website isn’t aiding a DDoS attack.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Hackers trick 162,000 unsuspecting WordPress sites into launching DDoS attack”

  1. Eddie Mayan

    WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
    Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
    We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. Details: http://www.cloudways.com/blog/ddos-attacks-wordpress-security/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.