uses an XML-RPC interface which allows users to post to a WordPress
website through popular Weblog clients. WordPress supports the Blogger API
, MetaWeblog API
, Movable Type API
, and the Pingback API
This functionality can be further extended by WordPress plugins.
WordPress XML-RPC also allows attackers to exploit WordPress website so
that exploited WordPress websites can be used as a platform to launch
attacks through pingback exploits.What is Pingback and How it Works?
The Pingback is a built-in linkback functionality that can be used to
receive notification when someone links to your blog posts. When you
enable the pingback in your WordPress website and you post a content
that links to another website, an XML-RPC request is sent to other
website which will automatically pingback to the source website to
verify whether the incoming link is live or not. The whole process will
go like following:
Why should we disable pingbacks?
- We have published a post to our blog.
- You publish a post on your blog with link to one of our blog.
- Your blogging platform will automatically send us a pingback.
- Our blogging platform will receive the pingback. Now, it will
automatically go to your blog to verify that the link is present there.
- Now, we can display your pingback as comment to our blog. This will be a link to your website.
A WordPress website
with Pingback enabled can be used in DDOS attacks against other
websites. An attacker can exploit pingback functionality through simple
command and an XML-RPC request. Thus, thousands of legitimate WordPress
websites can be exploited to launch a large scale DDoS attack.
Nowadays, attackers are using XML-RPC vulnerabilities and XML-RPC wp.getUsersBlogs
function to generate large-scale brute force attacks against WordPress
sites. WordPress XML-RPC requires a username and password, so attackers
are now using a method like wp.getUsersBlogs
to guess big number of passwords and possibly gain access to WordPress admin accounts. Rather conducting brute-force on wp-admin
page, attackers have now begun to utilize XML-RPC
which is the fastest method to generate brute-force and harder to detect as well.
Securing your WordPress website against DDoS/Brute-Force attacks
WordPress version 3.9.2 was released with the fix that reduced the
impact of some DDoS attacks, but, if pingback and XML-RPC are still
enabled in your WordPress website, your websites can be exploited. To
protect your WordPress website against such attacks, disable pingback and XML-RPC entirely. You can install XML-RPC Pingback
WordPress plugin to disable the pingbacks in WordPress website.