WordPress support from our community
Millions of WordPress sites Exploitable
May 1, 2013 at 1:39 pm #1637Jonathan GoodmanParticipant
Very Important Article: http://thehackernews.com/2013/05/millions-of-wordpress-sites-exploitable.htmlMay 1, 2013 at 2:18 pm #2863
We’re always a bit suspicious when some company says, “We found this horrible thing. BTW, our solution takes care of it”
IMHO, all Incapsula has done so far is release a self-serving folk tale… Chicken Little said, “The sky is falling, the sky is falling!” Google “chicken little folk tale” if you’re unfamiliar.
* The xmlrpc vulnerability was fixed in WP 3.5.1
* There are many, many ways to execute DDOS attacks. Most, if not all methods are far easier than using a “botnet to exploit WP pingback”… nothing there to be concerned about (at least not yet).
That said… we’ll keep our eyes peeled and I’ll report back should there be something tangible for WP site owners to worry about… and most importantly, provide a repair or solution if there’s a need.
I’m speaking on security at the June 18th meetup… will add DDOS attacks to the presentation.
Net-net for now IMHO… there are far more important WP issues to worry about than the subject of that article.May 1, 2013 at 2:35 pm #2864Jonathan GoodmanParticipant
Yes, I was a little annoyed by that last part of the article as it very quickly turned into a sales pitch. However, I felt the main content of the article was something that our members should be aware of.May 1, 2013 at 2:50 pm #2865
Yes, people should be aware of DDOS attacks.
I’ll add DDOS to the presentation. It’s a somewhat frustratiing topic… similar to a talk about how to stop other vehicles from running into you while you’re driving.May 3, 2013 at 3:09 pm #2866Igal ZeifmanParticipant
I`m a Product Evangelist for Incapsula and I wanted to say that:
a. The article actually includes a how-to-fix-yourself explanation: “Delete or rename xmlrpc.php in the root directory of your WordPress installation”
b. The so-called sales pitch is : “All website using Incapsula are protected from such abuse.” We’ve included this fact to prevent unnecessary concern and time wasting inquiries from our clients. We secure thousands of WP sites and we really don’t want to be DDoSed (excuse the pun) by support tickets.
BTW, we don’t even charge for the solution – which is provided as a part of our free plan.
To address some other points:
– Yes, this is a known exploit. We clearly state so in our article. Still, if you visit the original Acunetix report, you`ll see that the issue was marked as “addressed” is WP 3.5.1 when in fact the vulnerability was not fixed at all.
– Although this was theoretically proven in 2006, what we documented was the 1st use in the wild. We hope that this “smoking gun” will promote the discussion about wide-spread solution.
– Since we’ve published this, we’ve been contacted by several webmasters and IT professionals who suffered from these attacks and couldn’t identify them – until now.
– Yes, there are many other means for DDoS. Still, as DDoS mitigation service provider I would argue that more “obvious” DDoS attacks (i.e. UDP floods, SYN flood, brute force, etc) end up creating abnormal traffic patterns and as such are much easier to identify and mitigate, especially when compared to a stream of legal requests, coming from very established websites, which execute something that looks exactly like – and in fact is – a native WP functionality.
– To make it 101% clear. This statement is FALSE: “The xmlrpc vulnerability was fixed in WP 3.5.1”, as confirmed by comments of WP lead core developer below our article.
– Our follow-up research shows that 8.49% of all Alexa top 25,000 websites are potentially exploitable for pingback DDoS attacks. If you feel that THIS is unimportant, I envy your job. 🙂May 4, 2013 at 3:18 pm #2867
Net-net… IMHO… there are far more important WordPress issues to worry about than the subject of that article.May 4, 2013 at 8:14 pm #2868Igal ZeifmanParticipant
Perhaps, but why not cover all bases? We will safeguard against SQLI and XSS, but that doesn’t mean that we won’t take care of spammers and scrapers… For comprehensive protection it makes no sense to focus only on top tier threats.
- You must be logged in to reply to this topic.