New Layer 7 Attack Utilizes Pingback Function in WordPress


WordPress is a widely used CMS across the web and even we utilize the same technology for our blog.  Since WordPress is widely deployed, hackers have figured out a way to utilize the pingback function in WordPress to bring the website offline.  A typical DDoS attack would rely on opening multiple connection to the IP thus flooding the server and exhausting the server resources.  In the case of WordPress, the attackers are using the Pingback function which leaves a comment when the page is linked from other website.

The attack was first disclosed in 2014 by Sucuri and it was described as a layer 7 attack using 162,000 plus WordPress sites.  Layer 7 attacks focus primarily on the application layer instead of the network layer.  By default, WordPress sites have ping back enabled and this is the root cause of the problem.  The hackers are simply using a botnet that they control and using ping back to leave a comment on the url that they would like to bring offline.  As large number of comments are submitted from thousands of websites, the server resources become exhausted thus bringing it offline.  Since WordPress relies heavily in PHP and MySQL, a small attack can bring a website offline due to resource consumption  from php/mysql.

Currently, these attacks account for 13% of all DDoS attacks that take place online and these attacks are hard to control using a firewall.  At most the firewall will rate limit the IP address but the attack will continue to come in to the website.  Analysis of the attacks have shown up to 26,000 WordPress based sites sites using ping back option to attack a website.    At any given moment, up to 10,000 HTTPS connections are being made using the ping back tool the attack website

Providers like Incapsula, Psychz, Cloudflare can provide layer 7 ddos attack protection but webmasters should take steps to avoid their websites from being used in an attack by disabling ping back feature for now.  Many webmasters rely on pingback to let other authors know that they have linked to their website and thus help with marketing but webmasters might be putting their website at risk by not disabling pingback feature until a good solution is published by WordPress.  Furthermore, it is also recommended to disable XML-RPC on WordPress installation to lower the risks.


Leave a Reply

Your email address will not be published. Required fields are marked *