Vulnerable WordPress Servers, A Real Cause for Concern

Stephen Gates
By | March 14, 2014

Posted in: Network Security Trends

Attacks against, and attacks used to manipulate WordPress servers have been seeing more of their fair share of publicity over the last several months.  As we dig a little deeper into the two attack scenarios, a few key points come to light.

In the spring of 2013 many WordPress servers located in both Hosting Centers and DMZs throughout the world were reportedly being attacked by a botnet (made up of primarily home computers).  The botnet was not DDoS’ing them, but instead was being used in an attempt to compromise Wordpress servers with brute-force password guessing attacks.

Many individuals that had deployed Wordpress servers were continuing to use the default “admin” (come on, we know better than that!) username, and the botnet infected machines were trying to guess the passwords used.  Once the correct username/password was identified, attackers had complete control over the WordPress servers – mission accomplished.

At the time, security experts were concerned with this malicious behavior, due to the fact that if an attacker had successfully taken over a large number of WordPress servers they could generate a sizable amount of DDoS traffic (SYN Flood attack for example). This is plausible, due to the fact that most WordPress servers had access to large amounts of bandwidth; since they were often located in Hosting Centers.

In more recent history WordPress server attacks have been quite different than the example previously outlined.  It has become apparent that these crafty attackers have devised a new attack vector using WordPress servers to amplify traffic and launch Layer 7 DDoS attacks against other WordPress servers.  A recent article published by CNet states, “With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site, security researchers said Monday.”

Daniel Cid in a recent blog post stated, “Any WordPress site with Pingback enabled (which is on by default) can be used in DDoS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.”

This is just the tip of the iceberg, when it comes to exploiting Wordpress servers to launch some of the most insidious DDoS attack types. Organizations that have deployed these servers should check with their upstream ISP to determine if they are taking any proactive steps in protecting against these malicious attacks. Enforcing BCP-38/RFC 2827 is a significant step they can take in eliminating the ability for devices connected to the network to spoof their source IP addresses.

You May Also Be Interested In: