Alert: WP Attacks
Let me start this out by saying UUUUGGGGHHHH!
There, now I got that out of the way, lets dive into what’s going on.
You’ve likely heard me (continue to) mention the need to tighten up your WordPress security efforts due to a HUGE spike in attacks on WordPress sites. This is unfortunately simply a downside of using the most popular CMS software available.
There are a lot of attack types happening at the moment – and a lot of things we’re going to discuss over the next week (so be sure to be on my email list!).
… but right now we have to tackle one serious current part of it.
I’m going to explain what’s happening – but if it makes your eyes glaze over, jump down to the “Solution” or “Summary” section below and DO THAT!
What’s Happening With the WordPress DDoS Attack Botnet
Over the last couple weeks you’ve likely heard me talk again and again about the increase in attacks on WordPress. There are several types of attacks going on and today we’re just going to cover ONE of them.
You’ve likely also heard me talking about the DDoS attacks on sites like Aweber, GetResponse, and MeetUp.com.
Most people are unaware that these site attacks are totally related – and the first ones – are the source of the second ones – Yikes!
Generally speaking, rather than the older method of relying on infecting your computers – new hackers have moved to infecting WordPress sites that they can then control like “zombies” (as they still do with your computers too), and use them to carry out other attacks.
These infected systems then are used to attack other WordPress sites… and to attack their target sites, in this case any site that the hacker wants to “punish” and forcibly crash with a DDoS attack.
We started seeing another increase in XMLRPC class attacks on our WordPress sites more than a year ago. Regular readers will remember me suggesting to disable XMLRPC to help control this risk. But, at the time, we didn’t know WHY XMLRPC was being attacked so badly.
Now we see it all happening again and this time the hackers have gotten more powerful and now it’s obvious what the destination is.
By exploiting the XMLRPC code, a hacker does not have to fully break in, in order to get your WP installation to send pings to a destination site.
This becomes a “Pingback Botnet”. Sucuri posted about 160,000 WordPress sites being used in a DDoS attack. And this number has been growing!
These pings are generally trivial… but when multiplied by MILLIONS they’re anything but trivial.
In fact, they result in a DDoS attack…. which is a “Distributed, Denial of Service” attack. Distributed because the source of the attack comes from many places (and is this VERY VERY HARD to stop) and Denial of Service because they flood the site and exhaust the server resources until the server crashes (over and over and over).
And thus, it’s possible that your site has been contributing to attacks on other sites… and if it is not currently, it’s likely it will be in the very near future if you don’t take some action.
You can test to see if your site was used in the WordPress Pingback Botnet by using Sucuri’s WordPress DDoS scanner. Don’t feel too cocky though if you test clean – because this thing is spreading like wildfire.
Who’s Protecting You?
Regular readers of this blog already know that my favorite WordPress security solution begins with using WordFence and Better WP Security (iThemes Security) in tandem. I’ll be talking more about both of these soon as well as releasing an update to my WordPress security course.
Unfortunately, at this time, neither have a complete solution to addressing what’s going on. (I expect that to change when the new version of Better WP Security comes out next week.)
WordPress creator Matt Mullenweg released the following statement:
“This tradeoff in pingback’s design has been there for a decade now. It’s seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That’s why no serious attacks (above 2 gigabits per second) use it.” [source]
It’s important to note that this issue does not introduce a vulnerability in sites that enable pingback via XMLRPC, but merely lets an attacker bundle your site into a huge number of other WordPress sites and use those sites to send a large amount of traffic to a target site in the hope of bringing that site to its knees under the heavy load. This means your site is getting mis-used without even getting properly hacked.
Yet, regardless of Matt’s comment that it could not be used for high volume attacks, Ars Technica reports that the XMLRPC attacks are being used in a special way to target and drop sites without using a ton of traffic. This is why these lower volume attacks are suddenly painfully effective. Looks like the web has an Achilles heel.
Solution: Keeping YOUR WordPress Site From Participating In The WordPress DDoS Attack Botnet
We first learned about this round of attack, then WPTavern posted an article about it: How To Prevent WordPress From Participating In Pingback Denial of Service Attacks. They link to the Sucuri blog post and also posted a code snippet that you can paste into your functions.php file to prevent your site from being taken advantage of. It all has to do with the infamous XMLRPC support built into WordPress.
Unfortunately, XML-RPC is enabled by default in versions of WordPress above 3.5! Yikes!
Why is XML-RPC important? This is a communication protocol that besides playing a role in pingbacks and trackbacks also enables us to connect to mobile apps (like the WordPress app) and WordPress servers (such as via the JetPack plugin).
Thankfully, with a little wizardry from Jeff at WP Tavern, we’re going to be able to continue to use the mobile apps (and JetPack if you’re so inclined – I’m not until they fix that resource bug!) while putting a stop to this nonsense.
You can either get the code block from the post on WP Tavern, and put it into your theme’s function file (remember to re-add it if you change themes)…. or…
Thank my friends over at FooPlugins for converting it into a plugin and getting it into the WordPress plugin repository: Remove XMLRPC Pingback Ping. (If you have a different plugin in place for this task, I would remove it and use this one, as it will enable you to use mobile apps while blocking the attack.)
If you’re technical in nature, you can also use the steps detailed here to double check that the plugin, once activated, is in fact blocking this attack.
- Learn more about the threat : Sucuri
- Install the Remove XMLRPC Pingback Ping plugin to protect your site from unknowingly enlisting in the next Pinback Botnet : Remove XMLRPC Pingback Ping.
- (Optional) Test your site using the steps here.
- Install WordFence and Better WP Security to increase your sites defenses. (Disable duplicate tools to reduce conflicts.)
- Ensure you’re taking high quality backups of your site, using a tool like BackupBuddy
- Be on the lookout for my WordPress Security course soon!
Keep You Safe Online!
~ Kim ~
Simple Tech Tips For Marketing
PS: You’re welcome to republish this article in full as long as you include a dofollow link back to http://just-ask-kim.com and mention me as the source.