WordPress Feature Leveraged to Launch DDoS Attacks

Core functionality in the open-source content management system is being abused to attack others.  

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


Abusers are leveraging a feature in the popular WordPress open-source content management system to launch distributed denial-of-service (DDoS) attacks, according to multiple sources.

Todd Redfoot, chief information security officer at GoDaddy, told eWEEK that he started to see an uptick in WordPress attacks in late February.

The attacks leverage the XML-RPC (Remote Procedure Call) "pingback" functionality in WordPress to launch DDoS attacks. XML-RPC is legitimately used within WordPress as a mechanism for content owners to do a pingback of posts. The pingback allows content owners to track where their content is getting linked.

Redfoot noted that GoDaddy put counter-measures in place in late February to mitigate the XML-RPC DDoS risk, but has seen another big spike in activity during the first two weeks of March.

Security firm Sucuri is also seeing a large uptick in WordPress-related DDoS activities. Sucuri reported March 10 that it is aware of more than 162,000 WordPress sites participating in the DDoS activity.

Security blogger Brian Krebs reported March 12 that his own site is being attacked by 41,000 WordPress blogs.

Back in April of 2013, Web security firm Incapsula warned about the WordPress DDoS risk. On March 11, Incapsula posted a visualization of the current WordPress DDoS attack, which is hitting its network, fueled by 10,700 WordPress sites.

The current WordPress DDoS attack is particularly dangerous in that there is no patch that WordPress users can deploy to mitigate the risk.

Daniel Cid, CTO of Sucuri, told eWEEK that his firm is seeing attacks from all versions of WordPress.

"They patched a similar flaw recently, but not this one, which allows for a site to be misused for DDoS," Cid said. "It is actually one of these pingback features that can be misused to attack others. So, yes, 3.8.1 is still affected."

WordPress 3.8.1 is the most recent update of WordPress and was released at the end of January.


From GoDaddy's perspective, the risk of the WordPress DDoS attack is twofold. GoDaddy hosts WordPress Websites from which attacks can originate. In addition to being a hosting provider, it is also a target of DDoS attacks.

GoDaddy is employing both inbound and outbound measures to protect its customers and its own infrastructure, Redfoot said, explaining that GoDaddy has multiple layers of technology that are being used to monitor traffic and mitigate risk.

A key challenge of this particular attack is that it leverages a legitimate feature that some users need. "It's not a vulnerability in the WordPress platform; it's core functionality, and WordPress is reacting as it was designed to react," Redfoot said.

The question is about the volume of pingbacks, which is where the DDoS is occurring by overwhelming hosts with a large number of pingback requests. Redfoot suggested that setting the right threshold for normal pingback activity is one of many ways that GoDaddy is dealing with the risk. Users who don't need pingback functionality can also disable it from their own WordPress installations, he said.

"This attack won't go away because it works," Redfoot said. "So I hope, over time, we'll see more solutions and maybe a WordPress core tweak to try and distinguish good versus bad traffic."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.