wordpress pingback attack
What’s going on? This:
Are you a WordPress blogger? Yes? Did you spend the weekend attacking a gaming site? No?
Don’t be so sure.
Incapsula, a Web services company that offers protection from distributed denial of service (DDoS) attacks, has announced that over the weekend one of its clients was the object of a sophisticated yet simple attack. The person or persons behind the assault exploited innocent WordPress sites to form an army of 2,500 blogs, all of which were sending relentless pingback requests to the target site.
Are you at risk? It seems to depend. If you’re hosted at WordPress.com, it appears the hackers, whoever they are, will not mess with you. If you’re independently hosted, using software from WordPress.org, and either using Wp.org 3.5 or better OR simply enabling pingbacks then yes, you are at risk. For you as a blogger, the worst-case scenario is having your blog visibly slow down (well, unless the Feds decide you were in on it that is) which isn’t such a big deal. But it’s a big deal to the target of the attack, who sees nothing but thousands or tens or hundreds of thousands of requests to ping from legitimate websites. The blog doesn’t know how to shut it down, because the attacking blogs are not exactly infected. They’re just doing their jobs.
Want to opt-out of becoming an inadvertent part of someone else’s botnet? Easily done. Go to the dashboard Discussion settings and diable pingbacks. DONE!
Yes, really that easy.
raincoaster media 
planetzuda
May 6, 2013
You explained the pingback hacking issue very well. Thankfully there is a way to fix it. If you disable pingbacks in the WordPress Dashboard, it will disable them but only for future posts and pages, which means your site is still vulnerable. That’s why we created the plugin disable insecure features. It disables all pingbacks for already published posts and pages as well as disabling the xmlrpc. It will disable a bunch of other insecure features in the near future.
I’d like to put it on record that It isn’t WordPress’s fault that this feature is abused by hackers. pingbacks are a great feature and would work perfectly in a world without hackers.
raincoaster
May 6, 2013
That’s a good catch, thanks for the update.
planetzuda
May 6, 2013
d. Also, incapsula wasn’t very clear on the type of attack they’re seeing. Disabling the xmlrpc.php does not disable pingbacks, because pingbacks are in class-ixr.php. The xmlrpc.php does accept pingbacks, but even if it is disabled you can still accept pingbacks.