Many WordPress websites are still being misused to perform layer 7 DDoS attacks against target servers, even though preventing them from participating in these attacks is as simple as disabling the pingback feature.
“If you are not familiar with the terminology, Layer 7 attacks (also known as http flood attacks) are a type DDoS attack that disrupts your server by exhausting its resources at the application layer, instead of the network layer,” Sucuri Security CTO Daniel Cid explained in a recent blog post.
“They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, CMSs and databases.”
According to the company, this type of DDoS attack is getting less common, possibly due to the fact that newer WordPress version record the IP address(es) from which the pingback request originated.
This can allow defenders to pinpoint the C&C servers, and they can flag them as compromised/malicious and attempt to shut them down.
“In a recent case we investigated, 26,000 different WordPress sites were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website. At some intervals, the attack would peak to almost 20,000 HTTPS requests per second,” Cid shared.
Still, not many website owners or admins check the user agent logs to establish the real IP address of visitors, and that’s why this type attack still represents a considerable chunk (13%) of all DDoS attacks that Sucuri tracks.
Cid says that disabling pingbacks is the best course of action. “It won’t protect you from being attacked, but will stop your site from attacking others,” he pointed out.
He also recommends disabling xmlrpc altogether if it is not used, or limiting access to it. Attackers have been known to effect DoS attacks against WP sites by hammering the xmlrpc.php file with requests. Creating a limited whitelist of IP addresses can access the file is a good way of preventing this from happening.