How are WordPress Pingbacks Exploited?
While you may hear a lot about WordPress exploits, it could be that you’re not familiar with how the pingback mechanism in WordPress works, or how it can be used by dastardly hackers.
One of the most popular approaches is to use the XML-RPC mechanism, inherent in WordPress, because it gives hackers the ability to push many requests through a single server requests.
Yes, read that again. When using xmlrpc.php as a hacking tool, hackers are able to send 1 single request to the server (instead of 50, 100 or 500), but within that 1 request, they can include an entire array of other requests. Imagine being able to brute force attack a site with thousands of requests, without ever triggering the brute force / DDoS defensive systems – it’s a very efficient approach.
Sucuri, one of the top brands in WordPress security, explains all the ins and outs about system.multicall and exactly how this “amplification” of attacks occurs within WordPress. They also publish some fantastic stats related to WordPress security, such as the fact that pingback DDoS attacks account for 13% of all DDoS attacks they track!
For more about distributed denial of service (DDoS) attacks, check out the KnownHost blog: https://www.knownhost.com/blog/ddos-explained/
How are WordPress Pingbacks Spoofed in DDoS Attacks and Login Hacks?
Pingbacks are used in about 1/8th of all DDoS attacks and a large portion of login hacks, largely because they originally weren’t verified before being accepted and added.
As the Sucuri post explains, originally WordPress pingbacks were logged somewhat simplistically. It wasn’t until version 3.9 that the IP address started being logged and the pingback link verified:
WordPress/4.3.3; http://18.104.22.168; verifying pingback from 22.214.171.124
In newer versions, additional detail become available:
126.96.36.199 – – [16/Feb/2016:23:45:57 -0500] “GET / HTTP/1.0” 403 5301 “-” “WordPress/4.2.7; http://www.fluxstudio-sh.com; verifying pingback from 188.8.131.52”
After you see a number of logged entries all from the same IP, 184.108.40.206, you can do a reverse WHOIS lookup on the IP and find out who is responsible for sending the attacks. It could very well be that their machine has been compromised and isn’t aware they’re part of a botnet – or it could be that they’re just malicious.
In the newer example above, the WordPress/4.2.7 version, origination IP and origination site URL have all been spoofed (completely faked).
With verification in place, WordPress will check behind the scenes to confirm the site in question has a post with a link to your site. If it doesn’t, the WordPress pingbacks will never appear in your queue to be approved.