Subscribe to receive notifications of new posts:

WordPress Pingback Attacks and our WAF

2014-03-11

2 min read

At CloudFlare a lot of our customers use WordPress, that's why we have our own plugin, we hang out at WordCamp and we wrote a WordPress specific ruleset for our Web Application Firewall.

WordPress' ubiquity on the web can make it an ideal target for Layer 7 attacks, and its powerful features as a blogging platform can be demanding on small web and database servers, meaning Layer 7 attacks can be effective in making a WordPress server go offline using a relatively low number of requests.

Recently the folks at Sucuri observed a large DDoS using WordPress' pingback mechanism. A pingback is a way of one website telling another that it has linked to their content. We’ve seen this attack in the past and already had WAF rules in place to block it.

WordPress exposes an XMLRPC endpoint - xmlrpc.php - which other sites can make POST requests to in a standard format to inform a blog that their content has been linked to. The message it sends contains the blog link they referred to, and the page on which they placed that link.

When WordPress receives a pingback, it makes a request back to the source page to check that the link is actually there. Attackers can use this mechanism to specify a genuine link on a WordPress site and an intended victim, which will trigger a HTTP request to the victim's site. You can think of this as a kind of HTTP Reflection attack, in that the attacker can send a relatively small request to an XMLRPC endpoint that supports pingbacks, and trigger a much larger amount of effort and response on the victim's server.

Fortunately, our WordPress WAF rule WP0001 "WordPress Pingback Blocker" will immediately stop your WordPress blog from being used for this type of pingback abuse. If you run WordPress, you may want to consider enabling this today.

CloudFlare WAF rules for WordPress

You can find the “CloudFlare WordPress” ruleset under the CloudFlare Settings > Security > Manage WAF section, toggle the switch to turn the CloudFlare Wordpress ruleset on, and you’re all set.

For an added sting in the tail, the attack Sucuri observed also used a mutating query string when specifying a URL on which they had placed a link. This bogus mutating URL will neutralise most caches and means a server has to expend the effort of producing a page from scratch over and over again. Fortunately we also have CloudFlare WordPress rule 100000 "WordPress Numbers Botnet" which will block this type of behaviour.

So whether your blog is used to attack others or to be attacked itself, our WAF can help. For more information on our WAF cloudflare.com/waf

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
WordPressWAFAttacks

Follow on X

Cloudflare|@cloudflare

Related posts

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....

September 27, 2024 1:00 PM

Network trends and natural language: Cloudflare Radar’s new Data Explorer & AI Assistant

The Cloudflare Radar Data Explorer provides a simple Web-based interface to build more complex API queries, including comparisons and filters, and visualize the results. The accompanying AI Assistant translates a user’s natural language statements or questions into the appropriate Radar API calls....