On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.
At issue is the “pingback” function, a feature built into WordPress and plenty of other CMS tools that is designed to notify (or ping) a site that you linked to their content. Unfortunately, like most things useful on the Web, the parasites and lowlifes of the world are turning pingbacks into a feature to be disabled, lest it be used to attack others.
And that is exactly what’s going on. Earlier this week, Web site security firm Sucuri Security warned that it has seen attackers abusing the pingback function built into more than 160,000 WordPress blogs to launch crippling attacks against other sites.
“Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites,” Sucuri’s Daniel Cid wrote. “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request.”
Bloggers can disable pingback on posts by clicking “Settings” then “Discussion”, and then unchecking the following options if they are checked:
-Attempt to notify any blogs linked to from the article
-Allow link notifications from other blogs (pingbacks and trackbacks)
Unfortunately, Cid said, this only appears to prevent pingbacks on new blog posts and does nothing to disable pingbacks on posts that are already published for which pingback was previously enabled. There is, however, a highly-rated WordPress plugin that disables the pingback functionality.
As Sucuri notes, for the gearheads who don’t trust plugins, one easy way to block your WordPress blog from participating in these attacks is to create your own plugin that incorporates the following code:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Securi has declined to release the list of WordPress sites that are being used in these attacks, but it has posted an online tool that blog administrators can use to learn if their blogs have shown up in attack logs.
My hosting provider shared with me a list of the WordPress blogs that were used in the attack on this blog. I’m sharing it here to get the attention of WordPress administrators. I realize that some readers will view this as providing a roadmap for attacks, but I’m hopeful that making this information public will decrease the number of blogs that can be used in future such attacks.
The guys over at OpenDNS have more raw data on these attacks in a blog post that’s worth a read.