Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet

18 Mar 2014 Update : the plugin has been accepted and is now available on the WordPress.org plugin repo!

Recently, Sucuri posted about 160,000 WordPress sites being used in a DDoS attack. This got me worried about my personal blog, as someone had emailed me last year, claiming that my blog was being used in a DDoS attack. I immediately figured the email was spam and thought “There is no way my site can be so badly compromised!” and I deleted the mail.

The truth was, my personal blog was used in a WordPress Pingback DDoS attack against some poor victim. And I had no idea! My site had unknowingly been used in what I call a “Pingback Botnet”.

And yes, your site could also have been (mis)used.

Get Informed

I first leaned about this type of attack, then WPTavern posted an article about it: How To Prevent WordPress From Participating In Pingback Denial of Service Attacks. They link to the Sucuri blog post and also posted a code snippet that you can paste into your functions.php file to prevent your site from being taken advantage of. It all has to do with the infamous XMLRPC support built into WordPress.

Oh yes, and it is enabled by default as of version 3.5!

Test Yourself

You can test to see if your site was used in the WordPress Pingback Botnet by using Sucuri’s WordPress DDoS scanner. This is what I got back:

Themergency DDOS Scan Result

Protect Yourself

Sucuri posted a code snippet which will get you out of the woods:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

And then Jeff, over at the Tavern, cleaned it up a bit to make it work with more versions of PHP.

But I was still not happy.

This bit of code is too important to be part of your functions.php file! When you change themes at some point in the future, you can unknowingly open yourself up to become part of the next WordPress Pingback DDoS Botnet.

So I created a simple little plugin with this same code and posted the code on GitHub. It is also available on the WordPress.org plugin repo : Remove XMLRPC Pingback Ping.

Download the zip of the plugin now and activate it.

Test Yourself Again!

If you are paranoid like me, I wanted to make absolutely sure that even after I activated my Remove XMLRPC Pingback plugin, that I was protected. So after a little digging, I managed to figure out how to test my site.

Follow these steps and replace http://YOUR-SITE-URL.com with the URL of your site:

  1. Install the Chrome extension PostMan
  2. As your request URL, enter http://YOUR-SITE-URL.com/xmlrpc.php
  3. Make sure you are doing a POST
  4. Set your request body to be RAW with the following content:
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>http://YOUR-SITE-URL.com</string></value></param>
    <param><value><string>http://YOUR-SITE-URL.com/hello-world/</string></value></param>
    </params>
    </methodCall>
  5. Make sure the second param is a valid blog post URL that exists in your WordPress site
  6. Send the request!

If you get back a response saying the pingback from http://YOUR-SITE-URL.com to http://YOUR-SITE-URL.com/hello-world/ was registered, then your site is wide open. Here is a screenshot from POSTMAN:

XMLRPC Pingback Enabled
XMLRPC Pingback Enabled

After activating this plugin, sending through the same request as above should result in an error response from the website server error. requested method pingback.ping does not exist., as seen in this screenshot:

XMLRPC Pingback Disabled
XMLRPC Pingback Disabled

In Summary

  1. Learn more about the threat : Sucuri
  2. Install the Remove XMLRPC Pingback Ping plugin to protect your site from unknowingly enlisting in the next Pinback Botnet : GitHub repo or WordPress.org repo or Download the zip

14 thoughts on “Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet”

  1. Many thanks Brad for this post and the free plugin.

    I am going to go check all my WordPress sites now and get your plugin installed.

    I know it doesn’t necessary apply to this security issue but it always amazes me just how easy it is to hijack some WordPress sites and how lazy some webmasters can be with using Fantastico instead of a manual install.

    All I did was spent 3 or 4 hours manually installing and configuring a basic WordPress install. I then cloned it and now use that as my base template whenever I need to set-up a new WordPress site.

    Thanks to this post it looks like I need to update my clone install. 🙂

    Thanks again Brad, love your posts, company and plugins I have purchased from Fooplugins to date.

    With regards
    Kate_H

    • Hey Kate_H,

      Yes, I also get shocked at how easy it can sometimes be to exploit a site.

      Thanks for your support

      cheers
      Brad

  2. Good day! I had a question about this maybe you can answer.

    If my WP site has been used in an attack, and I looked at the raw Apache logs could I identify the attacking machines? Is the XMLRPC call a UDP packet that can spoofed? or does it require a TCP connection with a valid return IP address to work. Thanks!!

  3. Brad, you’re a darling. I get a ton of site lockout notifications so I see there are certain elements (often located in Vietnam, interestingly) that show an interest in breaking in. I think we all need to raise the bar for intruders and hackers and those who want to do botnet farming so as to make the resulting marginal utility of each next attempt increasingly unattractive. Unfortunately, WordPress is meant to be the platform of choice for tech-unsavvy. This is good, it is a great enabler. But it also means there are many blogs out there that are poorly maintained and badly protected.

  4. Hi Brad,

    Just want to say THANK YOU for the plugin. Works like a charm! Found we were being DDOSed while checking server this morning. Installed the plugin and all the nasty processes were gone.

  5. Thank you so much for posting about this.

    I have been dealing with GET and POST attacks to my sites xmlrpc file for two weeks. I even moved hosts, thinking that the hosting provider was causing the downtime. Thankfully the new host informed me of the problem, which led to your site and guide.

    I have patched all of my sites and I am now watching, with bated breath, and hoping that this resolves our downtime issues.

  6. Magnificent goods from you, man. I’ve understand your stuff previous to and you are just too fantastic.
    I actually like what you’ve acquired here, really like
    what you are stating and the way in which you say it.
    You make it entertaining and you still care for to keep it
    sensible. I can’t wait to read far more from you. This is really a terrific web site.

  7. I was excited to discover this website. I wanted to thank you for
    ones time just for this fantastic read!! I definitely liked every part of it and
    i also have you saved to fav to check out new things on your blog.

Leave a Comment

Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet