162,000 WordPress Sites Abused to Amplify DDOS Attack

Cybercriminals abuse XML-RPC feature in WordPress sites to amplify DDOS attacks

Sucuri has been called in to mitigate a major distributed denial-of-service (DDOS) attack aimed at a popular WordPress site. What’s interesting about this incident is that 162,000 other WordPress sites were used to amplify the attack.

DDOS attacks are becoming more and more common. However, every once in a while, cybercriminals come up with an interesting way to amplify them.

According to experts, in this particular attack, the 162,000 WordPress sites were indirectly used as amplification vectors. After the company, which hasn’t been named, subscribed to their CloudProxy Website Firewall service, Sucuri immediately started analyzing the operation.

They soon discovered that tens of thousands of WordPress sites were sending random requests at the targeted websites in an effort to make it inaccessible.

So how could cybercriminals abuse such a large number of WordPress sites? The attackers are actually abusing the XML-RPC feature. XML-RPC is used for trackbacks, pingbacks, remote access and other operations. Because XML-RPC is enabled by default on WordPress websites, it’s not difficult for malicious actors to abuse it.

They simply have to send a ping back request to the website’s XML-RPC file. The request looks something like this:

$ curl -D – “www.anywordpresssite.com/xmlrpc.php” -d ‘<methodCall><methodName>pingback.ping </methodName> <params><param><value><string> http://victim.com</string></value></param&gt; <param><value><string> http://www.anywordpresssite.com/postchosen </string> </value></param></params></methodCall>’

With this simple Linux command, many WordPress websites become amplification vectors for a DDOS attack.

Sucuri experts advise the owners of WordPress websites to check their logs for any POST request to the XML-RPC file. If they find pingbacks to random URLs, the site is most likely used to target others.

Alternatively, there is an online WordPress DDOS Scanner tool made available by Sucuri.

In order to protect your website from being abused in such a manner by cybercriminals, you can disable the XML-RPC pingback functionality, or add the following piece of code to your WordPress theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s