Hi
I`m a Product Evangelist for Incapsula and I wanted to say that:
a. The article actually includes a how-to-fix-yourself explanation: “Delete or rename xmlrpc.php in the root directory of your WordPress installation”
b. The so-called sales pitch is : “All website using Incapsula are protected from such abuse.” We’ve included this fact to prevent unnecessary concern and time wasting inquiries from our clients. We secure thousands of WP sites and we really don’t want to be DDoSed (excuse the pun) by support tickets.
BTW, we don’t even charge for the solution – which is provided as a part of our free plan.
To address some other points:
– Yes, this is a known exploit. We clearly state so in our article. Still, if you visit the original Acunetix report, you`ll see that the issue was marked as “addressed” is WP 3.5.1 when in fact the vulnerability was not fixed at all.
– Although this was theoretically proven in 2006, what we documented was the 1st use in the wild. We hope that this “smoking gun” will promote the discussion about wide-spread solution.
– Since we’ve published this, we’ve been contacted by several webmasters and IT professionals who suffered from these attacks and couldn’t identify them – until now.
– Yes, there are many other means for DDoS. Still, as DDoS mitigation service provider I would argue that more “obvious” DDoS attacks (i.e. UDP floods, SYN flood, brute force, etc) end up creating abnormal traffic patterns and as such are much easier to identify and mitigate, especially when compared to a stream of legal requests, coming from very established websites, which execute something that looks exactly like – and in fact is – a native WP functionality.
– To make it 101% clear. This statement is FALSE: “The xmlrpc vulnerability was fixed in WP 3.5.1”, as confirmed by comments of WP lead core developer below our article.
– Our follow-up research shows that 8.49% of all Alexa top 25,000 websites are potentially exploitable for pingback DDoS attacks. If you feel that THIS is unimportant, I envy your job. 🙂