Incapsula: WordPress Default Setting Opens up Sites to DDoS Exploit

Incapsula: WordPress Default Setting Opens up Sites to DDoS Exploit

Popular content management system WordPress is harboring a default setting that is making is susceptible to compromise, according to recent research.

Gur Shatz, CEO of IT security vendor Incapsula, wrote in a blog post that a recent Distributed Denial of Service (DDoS) attack mitigated by his firm exposed this vulnerability.

“These sites were not compromised, taken over, or rooted. Instead, the attackers took advantage of an existing WordPress vulnerability and abused the site, herding it into a voluntary botnet,” he wrote.

The default functionality is called 'pingback' and it is typically used to create “a request from WordPress to an arbitrary site.” In this instance, however, it caused a single machine to generate millions of requests from a variety of locations.

“This gives any attacker a virtually limitless set of IP addresses to distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them,” wrote Shatz.

This is the second such incident in the past month involving compromised WordPress sites. The blog platform was recently hit by a massive attack fueled by a botnet comprised of tens of thousands of computers looking to acquire log on credentials, according to reports.

Krebs on Security reported back in mid-April that the growing botnet was made up of roughly 90,000 web servers, attempting to “brute force attack” individual wordpress site using the rudimentary password “admin.”

This new attack differs by simply exploiting a WordPress feature that is enabled by default. A vulnerability that has apparently been known about for the past six years, according to this unresolved security ticket.

“Any website with Pingback functionality enabled is susceptible, and can be used by hackers to launch Denial of Service attacks,” Shatz wrote.

According to a W3Techs survey, WordPress is currently in use on 17.6 percent of all websites, making the potential scope of this vulnerability enormous.

Incapsula noted that the attack originated from approximately 2,500 WordPress sites, including some very large sites like, and

This most recent attack comes just a month after WordPress unveiled its new Two Step Authentication feature, designed to increase administrator security.

Shatz offers some very simple advice for those wishing to eliminate this potential threat.

“To do it yourself, log into your web hosting control panel (cPanel, H-Sphere, Plesk, etc) and delete or rename xmlrpc.php in the root directory of your WordPress installation,” he wrote.