March 13, 2014

On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.

armyAt issue is the “pingback” function, a feature built into WordPress and plenty of other CMS tools that is designed to notify (or ping) a site that you linked to their content. Unfortunately, like most things useful on the Web, the parasites and lowlifes of the world are turning pingbacks into a feature to be disabled, lest it be used to attack others.

And that is exactly what’s going on. Earlier this week, Web site security firm Sucuri Security warned that it has seen attackers abusing the pingback function built into more than 160,000 WordPress blogs to launch crippling attacks against other sites.

“Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites,” Sucuri’s Daniel Cid wrote. “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request.”

Bloggers can disable pingback on posts by clicking “Settings” then “Discussion”, and then unchecking the following options if they are checked:

-Attempt to notify any blogs linked to from the article
-Allow link notifications from other blogs (pingbacks and trackbacks)

Unfortunately, Cid said, this only appears to prevent pingbacks on new blog posts and does nothing to disable pingbacks on posts that are already published for which pingback was previously enabled. There is, however, a highly-rated WordPress plugin that disables the pingback functionality.

As Sucuri notes, for the gearheads who don’t trust plugins, one easy way to block your WordPress blog from participating in these attacks is to create your own plugin that incorporates the following code:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘’] );
return $methods;
} );

Sucuri has declined to release the list of WordPress sites that are being used in these attacks, but it has posted an online tool that blog administrators can use to learn if their blogs have shown up in attack logs.

My hosting provider shared with me a list of the WordPress blogs that were used in the attack on this blog. I’m sharing it here to get the attention of WordPress administrators. I realize that some readers will view this as providing a roadmap for attacks, but I’m hopeful that making this information public will decrease the number of blogs that can be used in future such attacks.

The guys over at OpenDNS have more raw data on these attacks in a blog post that’s worth a read.

52 thoughts on “Blogs of War: Don’t Be Cannon Fodder

  1. Mike Broussard

    Unfortunately, my IP was in the list. I’m so sorry. But, I have just upgraded to the newest version of Akismet, which helps with the problem:

    “Update March 18: Akismet has released a new version of the anti-spam plugin that mitigates this problem in two ways:

    ” Spam checks on pingbacks are now done before the verification request is sent, so that once an attack is identified, Akismet will prevent blogs from participating.
    ” An X-Pingback-Forwarded-For header is added to the verification request identifying where the pingback actually came from, making WordPress+Akismet a less attractive choice as a reflector by removing the anonymity.”

    This info is from:

  2. Lee Church

    I thought it interesting that I saw a Chinese attempt on a day of DDOS attacks.
    ——- log entry (Edited so router and time can’t be matched up by Chinese)
    Wed Mar 19 03:19:15 2014 1 Blocked DOS from

    The take-away is that some actors (e.g. Chinese) may be trying to use the DDOS attacks to mask other hacking attacks.

    It also appears there may be coordination among the DDOS and the Chinese hackers, which makes a strong case for it being state sponsored.

  3. Phil Erb

    Regarding the Disable XML_RPC plugin, as the plugin author… the plugin was not designed for the purpose of disabling pingbacks. It does one very simple thing – set the “xmlrpc_enabled” filter to false. This filter was introduced in WordPress 3.5, when the UI option to disable XML-RPC was removed and it was enabled by default. This filter does not remove pingbacks.

    I had some edge cases where a site owner did not need or want remote publishing and wanted XML-RPC disabled to lessen his security footprint. I decided to release the plugin to the repository, in case anyone else found it useful.

Comments are closed.