All the latest UK technology news, reviews and analysis

Hackers turn 162,000 WordPress sites into DDoS attack tools

11 Mar 2014
DDoS attack

Hackers have hijacked more than 162,000 legitimate WordPress sites, connecting them to a criminal botnet and forcing them to mount distributed denial-of-service (DDoS) attacks, according to security firm Sucuri.

Sucuri CTO Daniel Cid said the company uncovered the botnet when analysing an attack targeting one of its customers. Cid said Sucuri managed to trace the source of the attack to legitimate WordPress sites.

"The most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending random requests at a very large scale and bringing the site down," read the blog.

"Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk."

Cid said the attackers successfully mounted the scam using a well-known flaw in WordPress code. "One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping-back request to the XML-RPC file," read the post.

"This is a well-known issue within WordPress and the core team is aware of it, it's not something that will be patched, though. In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma."

At the time of publishing, WordPress had not responded to V3's request for comment on the Sucuri blog post.

Cid said WordPress users concerned they may be affected should disable the dodgy XML-RPC functionality of their site or download an automated scanner tool from a legitimate security service provider.

Gary Sockrider, solutions architect at DDoS mitigation firm Arbor Networks, told V3 that attacks targeting WordPress users are increasing as the site's lax security makes it easy for hackers.

“It’s not uncommon that cyber criminals use PHP web application servers as bots in the attacks. Many WordPress sites, often using the out-of-date TimThumb plugin, were compromised in the past – the same happened to Joomla and other PHP-based applications,” he said.

“Attackers usually target unmaintained servers to which the attackers upload PHP web shells and then use those shells to further deploy attack tools. Attackers connect to the tools either directly or through intermediate servers, proxies or scripts.”

DDoS attacks are a growing problem facing governments and businesses. They are a popular tactic with hacktivist groups looking to knock websites and systems offline by flooding them with requests. In 2014 the tactic has been used against numerous high-profile agencies and companies, including the UK Ministry of Justice.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Devices at work poll

Which device do you use most for work?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

HTML Email Developer

At the University of Derby, people are at the heart of...

Infrastructure & Network Analyst

Infrastructure & Network Analyst Solihull (and...

CRM System Officers

At the University of Derby, people are at the heart of...

Head of Digital Services

Here at the Legal Aid Agency, we provide civil and criminal...
To send to more than one email address, simply separate each address with a comma.