Hackers trick 162,000 unsuspecting WordPress sites into launching DDoS attack

If you’re a bad guy wanting to blast a website off the internet, the obvious method is to use a distributed denial-of-service (DDoS) attack.

DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular site. The victim site can’t cope with the barrage, and – unless properly prepared – falls over.

Many sites would have the same problem if hordes of Justin Bieber fans all clicked on a link he had tweeted at the same time.

But what if you don’t have access to a botnet of compromised computers, or can’t talk Justin Bieber into tweeting a URL of your choosing?

Sign up to our newsletter
Security news, advice, and tips.

Well, maybe you’ll take advantage of the millions of unsuspecting websites out there running WordPress.

Sucuri has blogged this week about a DDoS attack which brought down a website, after over 162,000 websites running WordPress were all tricked into sending it unwanted traffic.

The attack relied upon Pingbacks – a feature of WordPress that allows a site running WordPress to inform other sites when you write a blog post linking to them.

But the WordPress sites were not hacked or compromised. Instead, through use of a simple UNIX command line, a remote hacker could tell one website to send an HTTP request to the target site, via the Pingback feature.

Pingback is enabled by default on WordPress sites, meaning that the vast majority of websites running the software could probably be recruited into a DDoS attack without their knowledge.

Here’s a natty graphic from the folks at Incapsula, showing how attackers can exploit WordPress’s Pingback feature to launch a DDoS attack.

In a similar attack last year, Incapsula described how hackers had exploited the same trick on approximately 2500 WordPress websites, including ones run by Trend Micro, Gizmodo and Zendesk.

At the time, Incapsula issued a chilling warning:

This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.

Clearly things haven’t changed much in the intervening year, and there are still plenty of WordPress sites out there which could be easily recruited into criminal DDoS attacks.

If you administer a self-hosted WordPress site then read Sucuri’s blog for advice on how to best ensure that your website isn’t aiding a DDoS attack.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.