Hackers have hijacked more than 162,000 legitimate WordPress sites, connecting them to a criminal botnet and forcing them to mount distributed denial-of-service (DDoS) attacks, according to security firm Sucuri.
Sucuri CTO Daniel Cid said the company uncovered the botnet when analysing an attack targeting one of its customers. Cid said Sucuri managed to trace the source of the attack to legitimate WordPress sites.
"The most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending random requests at a very large scale and bringing the site down," read the blog.
"Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk."
Cid said the attackers successfully mounted the scam using a well-known flaw in WordPress code. "One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping-back request to the XML-RPC file," read the post.
"This is a well-known issue within WordPress and the core team is aware of it, it's not something that will be patched, though. In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma."
At the time of publishing, WordPress had not responded to V3's request for comment on the Sucuri blog post.
Cid said WordPress users concerned they may be affected should disable the dodgy XML-RPC functionality of their site or download an automated scanner tool from a legitimate security service provider.
Gary Sockrider, solutions architect at DDoS mitigation firm Arbor Networks, told V3 that attacks targeting WordPress users are increasing as the site's lax security makes it easy for hackers.
“It’s not uncommon that cyber criminals use PHP web application servers as bots in the attacks. Many WordPress sites, often using the out-of-date TimThumb plugin, were compromised in the past – the same happened to Joomla and other PHP-based applications,” he said.
“Attackers usually target unmaintained servers to which the attackers upload PHP web shells and then use those shells to further deploy attack tools. Attackers connect to the tools either directly or through intermediate servers, proxies or scripts.”
DDoS attacks are a growing problem facing governments and businesses. They are a popular tactic with hacktivist groups looking to knock websites and systems offline by flooding them with requests. In 2014 the tactic has been used against numerous high-profile agencies and companies, including the UK Ministry of Justice.