Since 2014, it has been possible to abuse legitimate WordPress blogs for an attack. To do this, the attacker only needs several WordPress installations that have pingbacks enabled, which is the default setting.
Now the attacker has to trick the WordPress blog into believing a pingback from the victim's site, the WordPress will then check the pingback and call the victim's site. If the attacker does this with numerous WordPress blogs at the same time, the flood of traffic can cripple the victim's site.
One of my sites was bombarded by just such an attack, but it's pretty easy to do something about it. I simply blocked all calls to my nginx **server block** that contain the user agent "WordPress":
# WordPress Pingback
if ($http_user_agent ~* "WordPress") {
return 403;
}
After that, restart nginx and the snippet will protect you from the attacker crippling your server. (To be more precise, nginx can still be attacked, but nginx now blocks the calls very efficiently instead of letting the calls through and passing them on to possible gateways like PHP or nodejs).
Leave a comment now