Akamai Diversity

The Akamai Blog

Wordpress DDoS: New Attack, Old Problems

Our researchers spent much of yesterday tracking a massive DDoS exploiting weaknesses in the Wordpress blogging platform. Most of the news reports are consistent with what we saw, so let's take a look at some of the more comprehensive pieces, starting with a CSOonline blog post from Akamai Security Advocate Dave Lewis. The overall message: This latest attack is just another example of an old and unaddressed problem.

"A quick and simple Google search underlies the problem with people using a platform like Wordpress," Dave wrote. "I found 111,000 sites that were exposing their database backups to the Internet. This includes all manner of websites from independent music sites to doctor offices and even some government websites."

He showed a sample database dump as indexed in Google. Any offending information was redacted:


As Dave noted, "This is one of over 110,000 databases. Are the passwords hashed? Yes, for the most part. Would this be considered hacking? By some, yes. That troubles me greatly. These are sites that have exposed themselves completely and have their databases indexed in search engines. I can only imagine the horde of angry villagers that would show up at my doorstep with pitchforks and torches if I named the sites specifically. Which I won't do."

By the time this Threatpost article was published yesterday, 162,000 Wordpress sites had been hijacked and used for the DDoS attack. Chris Brook wrote:

More than 162,000 "popular and clean" WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system's pingback feature.

While the WordPress team is aware of the issue it's not expected to be patched as it's a default feature on WordPress, not a flaw, meaning it's a problem that will likely be left up to site developers to mitigate.

Lucian Constantin of the IDG News Service wrote that the attack had brought WordPress pingback abuse back into spotlight:

The WordPress bug ticket related to the pingback DDoS issue was originally created in 2007 and reveals that WordPress' developers tried to partially mitigate the problem with several patches over the years, last time in WordPress 3.6, which was released in August.

However, completely disabling XML-RPC in the platform itself is unlikely because it's needed for important features.

What to do about all this? Dave Lewis offered some advice:

  • Check your Wordpress site for exposures. If you are in fact running local backups at least put a control in place to block access to them like the plugins from Wordfence or Sucuri.
  • Test your site to look for exposures. A handy tool that is available as a standalone application or available in the Kali distribution is called WPScan. This is a purpose build Wordpress security scanning tool that can help you find issues before someone pops your site.
  • Practice safe blogging.


Wordpress DDOS attack is really a big problem. I hope developers will take time to solve such problems and also administrators.

WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack. Details: How to Protect DDoS Attacks on WordPress