Our researchers spent much of yesterday tracking a massive DDoS exploiting weaknesses in the Wordpress blogging platform. Most of the news reports are consistent with what we saw, so let's take a look at some of the more comprehensive pieces, starting with a CSOonline blog post from Akamai Security Advocate Dave Lewis. The overall message: This latest attack is just another example of an old and unaddressed problem.
"A quick and simple Google search underlies the problem with people using a platform like Wordpress," Dave wrote. "I found 111,000 sites that were exposing their database backups to the Internet. This includes all manner of websites from independent music sites to doctor offices and even some government websites."
He showed a sample database dump as indexed in Google. Any offending information was redacted:
By the time this Threatpost article was published yesterday, 162,000 Wordpress sites had been hijacked and used for the DDoS attack. Chris Brook wrote:
More than 162,000 "popular and clean" WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system's pingback feature.
While the WordPress team is aware of the issue it's not expected to be patched as it's a default feature on WordPress, not a flaw, meaning it's a problem that will likely be left up to site developers to mitigate.
Lucian Constantin of the IDG News Service wrote that the attack had brought WordPress pingback abuse back into spotlight:
The WordPress bug ticket related to the pingback DDoS issue was originally created in 2007 and reveals that WordPress' developers tried to partially mitigate the problem with several patches over the years, last time in WordPress 3.6, which was released in August.
However, completely disabling XML-RPC in the platform itself is unlikely because it's needed for important features.
What to do about all this? Dave Lewis offered some advice:
- Check your Wordpress site for exposures. If you are in fact running local backups at least put a control in place to block access to them like the plugins from Wordfence or Sucuri.
- Test your site to look for exposures. A handy tool that is available as a standalone application or available in the Kali distribution is called WPScan. This is a purpose build Wordpress security scanning tool that can help you find issues before someone pops your site.
- Practice safe blogging.