Posts

Your WordPress installation can be used in Denial of Service attacks

One of our employees at Basefarm, Senghan Bright, is the System Manager for WordPress here at Basefarm. Here is some information from him:

Due to a setting that is enabled by default on WordPress, there’s an exploit that can be used to send a request to a target domain using the WordPress site as a proxy.
With enough WordPress installations at your disposal, scripted requests from them collectively is enough to perform a denial of service.

Whilst this is not a new vulnerability, the amount of media attention this exploit has got in recent days brought it to my attention, and the raised awareness means the likelihood of this being used in the wild will have substantially increased:
http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

These two sites go into a little more detail on how to the API is used to perform the exploit:
http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html
http://www.pentestgeek.com/2013/01/03/wordpress-pingback-portscanner-metasploit-module/

I’ve tested some proof-of-concept code on a few test WordPress installations, and observed the API successfully send requests out to a target site, with the source appearing to be thetest WordPress installation with its IP.
There are various methods to disable the exploit. Being that the API has a lot of perfectly valid functionality that customers may use on their sites, the least destructive method is to install the following WordPress plugin:

http://wordpress.org/plugins/disable-xml-rpc-pingback/

This disables the specific exploitable function, whilst leaving the rest of the API working as normal.