DDoS Attacks-via-XML-RPC.jpg

WordPress infected

The company Sucuri is currently causing a fuss among WordPress users, with over 162,000 blogs now infected. With what? We'll sort that out later, because the story begins somewhere else. Sucuri received a call for help from a major website suffering from DDoS attacks. DDoS (Distributed Denial of Service Attack) is basically a crippling of the servers, with thousands of bots accessing a website simultaneously, bypassing its cache and pushing the hoster to its absolute limit. Websites are then only extremely slow or no longer accessible at all.

But the interesting thing about the DDoS attack that Sucuri investigated before was something else, because the attack came from different blogs based on WordPress. Now Sucuri tested and analyzed again and found out that the attacks came from perfectly legitimate and harmless blogs. So it's not a DDoS network in its own right, but more or less hacked websites based on WordPress, which were silently manipulated to serve as attackers. But how is that possible?

XML-RPC vulnerability

Let's put it this way: You surely remember my contribution to XML-RPC, don't you? Since WordPress 3.5, the interface is no longer optionally available, but automatically activated. Deactivating it seemed to be easy at first, but then it turned out to be turned out to be slightly more awkward. Now it is clear: the deactivation makes a lot of sense, because the DDoS attacks Sucuri investigated were all started on the basis of a simple XML pingback. A simple request to the XML-RPC, which has disastrous consequences. I had already expressed exactly such security concerns when WordPress 3.5 was released. Now exactly this interface is to blame for DDoS attacks.

Snippet against DDoS

The problem now is that the case is well known in detail. It's one of those bugs that are already considered a feature again, because many plugins also use it. The only solution is to deactivate the XML-RPC interface. The problem: As already mentioned some plugins use XML-RPC and need the interface to work correctly. Alternatively, the following snippet can help, although I personally am still in favor of a complete deactivation. How to do that, you can find out here.

Copy the following into the Functions.php of your theme:

add_filter( 'xmlrpc_methods', function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Switching off as a precaution

By the way, at Sucuri you can also create your website have sb./sth. tested. Just enter your own URL and the form will check if you are affected as well or if your website is attacking others and therefore somehow responsible in the end. But deactivating XML-RPC still helps best and also my 8 steps to WordPress security should now be of greater interest again. In this sense I wish you a nice day and hope that you will never be affected by such crap with your website.

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

Leave a Comment

Your email address will not be published. Required fields are marked *