WordPress has become the most popular CMS and it continuously increases its market share. On the other hand, WordPress’ popularity encourages hackers to find new methods to exploit WordPress websites. Recently, WordPress XML-RPC exploit was used to launch distributed denial-of-service (DDoS) and brute force attacks against WordPress websites.
WordPress uses an XML-RPC interface which allows users to post to a WordPress website through popular Weblog clients. WordPress supports the Blogger API, MetaWeblog API, Movable Type API, and the Pingback API. This functionality can be further extended by WordPress plugins. WordPress XML-RPC also allows attackers to exploit WordPress website so that exploited WordPress websites can be used as a platform to launch attacks through pingback exploits.
What is Pingback and How it Works?
The Pingback is a built-in linkback functionality that can be used to receive notification when someone links to your blog posts. When you enable the pingback in your WordPress website and you post a content that links to another website, an XML-RPC request is sent to other website which will automatically pingback to the source website to verify whether the incoming link is live or not. The whole process will go like following:
- We have published a post to our blog.
- You publish a post on your blog with link to one of our blog.
- Your blogging platform will automatically send us a pingback.
- Our blogging platform will receive the pingback. Now, it will automatically go to your blog to verify that the link is present there.
- Now, we can display your pingback as comment to our blog. This will be a link to your website.
Why should we disable pingbacks?
A WordPress website with Pingback enabled can be used in DDOS attacks against other websites. An attacker can exploit pingback functionality through simple command and an XML-RPC request. Thus, thousands of legitimate WordPress websites can be exploited to launch a large scale DDoS attack.
Nowadays, attackers are using XML-RPC vulnerabilities and XML-RPC wp.getUsersBlogs function to generate large-scale brute force attacks against WordPress sites. WordPress XML-RPC requires a username and password, so attackers are now using a method like wp.getUsersBlogs to guess big number of passwords and possibly gain access to WordPress admin accounts. Rather conducting brute-force on wp-admin page, attackers have now begun to utilize XML-RPC which is the fastest method to generate brute-force and harder to detect as well.
How to secure your WordPress website against DDoS/Brute-Force attacks?
WordPress version 3.9.2 was released with the fix that reduced the impact of some DDoS attacks, but, if pingback and XML-RPC are still enabled in your WordPress website, your websites can be exploited. To protect your WordPress website against such attacks, disable pingback and XML-RPC entirely. You can install XML-RPC Pingback WordPress plugin to disable the pingbacks in WordPress website.