OVER A HUNDRED THOUSAND legitimate Wordpress websites have been hijacked by hackers, security firm Securi has claimed, in a plot that has connected users to a criminal botnet, forcing them to inadvertently launch distributed denial of service (DDoS) attacks.
Securi said in a blog post that it uncovered the botnet while examining an attack targeting one of its customers. Securi CTO Daniel Cid said in a blog post that the firm managed to trace the sources of the attack to over 162,000 legitimate Wordpress websites.
"The most interesting part is that all the requests were coming from valid and legitimate Wordpress sites. Yes, other Wordpress sites were sending random requests at a very large scale and bringing the site down," he said.
"Just in the course of a few hours, over 162,000 different and legitimate Wordpress sites tried to attack [the] site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk."
The hackers mounted the attack using a well known flaw in Wordpress that can be exploited by just one attacker to launch DDoS attacks across thousands of popular, clean Wordpress websites.
"And that all happens with a simple ping-back request to the XML-RPC file," Securi's CTO added. "This is a well-known issue within Wordpress and [while] the core team is aware of it, it's not something that will be patched, though. In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma."
Cid said Wordpress users concerned that they might be affected should disable the dodgy XML-RPC functionality of their website or download an automated scanner tool from a legitimate security service provider to protect themselves from such attacks.
This is not the first time that Wordpress has come under fire from hackers. In January 2012, hundreds of Wordpress websites and blogs were compromised.
The attack affected websites using an old version 3.2.1 of Wordpress, according to M86 Security Labs, which found websites that had been injected with code that redirects the user to an exploit website. µ