WordPress is a popular CMS system that many value due to its ease-of-use, as well as the fact that it’s free. However, in the last couple of years it has had to deal with a significant number of controversies regarding its security. Indeed, at any one time there are believed to be hundreds of potential vulnerabilities that could be exploited (as this list of past WP issues indicates).
One of the biggest emerging threats to modern WordPress sites is the pingback. In recent months, several attacks taking advantage of the feature have occurred, with one of the most notable involving a range of well-known sites, including Zendesk.com
Pingback and Zendesk
For those unsure about the company, Zendesk is a software development firm that first opened its doors back in 2007. The company runs a SaaS suite designed to aid other firms with their help desk ticketing, issue tracking and customer service support in general.
The DDoS protection experts at Incapsula had to deal with a unique DDoS attack in which Zendesk.com played a key role.
What is a pingback, and how did was it used for an attack?
Pingback works like this: when an article is posted on person A’s page linking to person B, and person B then links back to the post, a pingback is sent to person A (as long as their own site is pingback enabled). When this has been completed, person A’s blog will perform an automatic check to confirm that the pingback is legitimate. By taking advantage of this last feature, the attackers were able to herd Zendesk and the other websites into a voluntary Botnet to participate in a DDoS style assault capable of blanketing the victim sites with traffic.
It’s believed that a large percentage of WordPress websites are susceptible to attacks such as these. Indeed, research from Incapsula indicated that 8.49% of all Alexa top 25,000 websites could be exploited using the technique. With a network of over 100 million WordPress websites currently operating, hackers have an almost unlimited amount of resources to work with. What’s more, websites involved in the attack usually have no knowledge of it unless they’re actually the target.
Since Incapsula first documented the Zendesk assault, another took place using the exact same technique. During the course of this attack, over 50,000 bot visits were deflected, totaling at least 8,000,000 hits overall. At its height, the assault was measured as generating 1,000 hits per second. (Note that this attack was on the 3.5.2 version of WordPress, giving the indication that updated software alone – often purported to be a key part of windows security – isn’t enough to stop such attacks taking place). Incapsula’s own blog contains more details regarding the assault.
Perhaps the biggest controversy is that the pingback feature is a standard feature of WordPress. Essentially, any site using the CMS system is susceptible to the attack.
Conclusion
Expert advice from web security firms remains the most full-proof method of defence, though it’s also a good idea to remove the pingback code in order to minimize the risk of it being used. This is done simply logging into the webhosting panel and either editing or removing xmirpc.php from the root of the WordPress installation.
*This article was written by freelance writer and mother of three, Kathryn Thompson**. Â Follow her on Twitter: *@katht35