Incapsula has warned of the vulnerability in the WordPress which can be exploited for the DDoS attack. This has made millions of sites under direct threat due to vulnerability in the WordPress Default. Incapsula came across the biggest DDoS attack against a gaming website in which the attacks originated from about 2500 WordPress websites including some big names like Trendmicro, Zendesk and Gizmodo.
Incapsula,on the attack said,
These sites were not compromised, taken over, or rooted. Instead, the attackers took advantage of an existing WordPress vulnerability and abused the site, herding it into a voluntary botnet.
The vulnerability uses the ping back functionality used to initiate a cross reference between the blogs .The same functionality has a vulnerability which has been exploited by the hackers, thus generating millions of requests from single machine from multiple locations. The WordPress has enabled this feature so can be turned off thus no protection against the attack.
The above image shows the way the websites built from WordPress can be used to target another websites.
Incapsula further said,
This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.
Some of the largest news and media sites are hosted on WordPress these days and each of these sites carry lots of DDoS firepower that can be exploited in this way. Some of the more noticeable sites that we found to be exploitable included Venturebeat.com, TechCrunch.com, TheNextWeb.com, WordPress.org itself and apparently Kobe now has another Achilles’ heel at kobebryant.com.
Thus taking the no of websites that can be exploited using pingback DDoS attack to 8.49% of all Alexa top 25,000 websites.
The vulnerability was reported last year by Acunetix but was not fixed by WordPress. And the worst part is that vulnerability has been known since last 6 years and is still open to exploit by the hackers.
Incapsula explaining the vulnerability, said,
What has made this surface is the fact that, until recently, the whole xmlrpc mechanism was disabled by default. WordPress 3.5 was released with this feature enabled and exploitable, by default. Any website with Pingback functionality enabled is susceptible, and can be used by hackers to launch Denial of Service attacks.
The website can be made more secure by logging into your web hosting control panel (cPanel, H-Sphere, Plesk, etc) and deleting or renaming xmlrpc.php in the root directory of your WordPress installation.