162,000 reasons to tighten up WordPress security

"Cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity" says Lancope CTO Tim Keanini.

162,000 reasons to tighten up WordPress security
162,000 reasons to tighten up WordPress security

WordPress may be one of the most popular website systems used to publish on the Internet, but its open source nature - and consequent security challenges - have been highlighted this week after around 160,000 WordPress sites have apparently been used as DDoS zombies.

Security research firm Securi reports that the WordPress pingback option - which allows WordPress sites to cross-reference blog posts - has been misused in recent times by unknown hackers to launch large-scale, distributed denial-of-service (DDoS) attacks. 

The attack vector used is not unknown as, back in the summer of last year, Incapsula reported that one of its clients was targeted in a pingback DDoS attack involving 1,000 page hits a second.

Securi says it has been monitoring a swarm attack involving more than 162,000 WordPress sites and collectively generating many hundreds of IP requests to a single WordPress site.

Whilst Daniel Cid, Securi's CTO, has declined to identify the site, this suggests the attack may have been a proof-of-concept trial. 

On a technical level, the attack vector exploits an issue with the XML-RPC (XML Remote Procedure Call) code within WordPress and which is used for pingbacks, trackbacks and remote access from mobile Web browsers.

SCMagazineUK.com notes that WordPress has known about the issue for several years, but the problem is that it a key structural issue with WordPress's kernel architecture.

Despite this, WordPress development teams have changed the default setting of sites to operate with a Web cache, meaning there is less load placed on the hosting server concerned.

The hackers, however, have generated fake website addresses within their IP calls, so bypassing the web cache.

Securi's CTO says he been talking to WordPress developer teams about the issue, who are reportedly investigating a workaround.

Tim Keanini, CTO of Lancope, said that the structural natures of the issue mean that it is not something that will ever go away.

“Think of it as a supply chain and these criminals need compromised connected computers for their botnets - if you are connected for whatever reason to the Internet, you are a part of this supply chain," he said, adding that cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity.

To add to this, he explained, we - as Internet users - continue to put insecure devices on the Internet and with the Internet of Things ramping up, he warns there is just no end to the supply of targets.

"What we need to do is to focus on the precision, timeliness, and leadership through these crisis – not the fact that they will just go away. They are here to stay and a part of doing business in the Internet age. When these events happen, what does leadership look like that provides business continuity and restores customer confidence? That is the question we need to be asking because hanging your head in shame does no one any good," he said. 

Sean Power, security operations manager with DDoS security vendor DOSarrest, said that the vulnerabilities in old versions of WordPress mean that hackers can exploit them to be used for DDoS attacks.

"This is nothing new - in fact, it was first recognised back in 2007. Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks," he said. 

"The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners," he added.

Power went on to say that this a prime example of how users aren't regularly performing updates to their websites - "because if they were, we wouldn't still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw.”