I came across a blog article by Cloudflare. I use and recommend Cloudflare as a security protection and speed booster on all of my sites and all of my client sites. Cloudflare has saved the day for myself and my clients far more times than I can count. I came across this article on Facebook originally.
WordPress Pingback Attacks and our WAF
WordPress’ ubiquity on the web can make it an ideal target for Layer 7 attacks, and its powerful features as a blogging platform can be demanding on small web and database servers, meaning Layer 7 attacks can be effective in making a WordPress server go offline using a relatively low number of requests. Recently the guys at Sucuri observed a large DDoS using WordPress’ pingback mechanism. A pingback is a way of one website telling another that it has linked to their content. Via blog.cloudflare.com
Cloudflare provides an easy way for (paying) customers to stop this activity with the flip of the switch in one of their advanced settings.
I am not yet a paying customer myself. This may in fact be one of the first compelling services I have seen to push me over the tipping point.
Regardless, Cloudflare originally heard about the problem from Sucuri, a WordPress focused security service.
More Than 162, 000 WordPress Sites Used for Distributed Denial of Service Attack
Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features youâÃÃre likely very fond of. If you notice, all queries had a random value (like âÃÃ?4137049=643182âÃó) that bypassed their cache and force a full page reload every single time. Yes, other WordPress sites were sending that random requests at a very large scale and bringing the site down. Via blog.sucuri.net
Sucuri zeroed in on this type of attack after a WordPress site was knocked out by a DDoS attack and they signed up as a new Sucuri client.
I’m not a Sucuri client myself, but they do some very good work. Between Cloudflare, ManageWP and my own experience with WordPress I currently feel that I’m safe enough. If I were to turn to someone for a boost, Sucuri would be top of my list.
Anyway, they spotted the bad behavior and they also have a solution for their paying clients to protect people. They also setup a free tool, such that you could determine if your own WordPress website was being utilized to attack others (as opposed to the protection these provide against being the WordPress site attacked.)
They also offered two solutions for stopping your WordPress website from being used to attack others. The third one below is my suggestion.
- Turn off / disable notifications in your WordPress admin settings
- Add the following code to your functions.php file (not for novices)
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
I would add this third tip…
3. Become a client of Sucuri and/or Cloudflare 🙂