WordPress & Ping Backs – Now A Security Threat

It is safe to say that WordPress was a revolution of sorts in the world of content management systems (CMS). Certainly not the first, many of us were developing CMS platforms as early as the late 90s in one-off web development projects built from the ground up. Many of the code snippets themselves ended up on open-source sites all over the web thus laying the groundwork for the first truly open-source blog CMS, WordPress.

According to WordPress’ website counter there are 76,793,570 websites running their CMS. As of March 2014 60% of all websites running a content management system are running WordPress.

That is why the recent revelation that the long used, but mostly useless, ping backs (also known as a track backs) are providing a “back door” to hackers that use websites running WordPress as part of a distributed denial of service (DDoS) attack. The first discovery of it affected over 160,000 WordPress powered websites and used them as DDoS zombies to launch the attacks from their webhost’s servers.

First reported by Daniel Cid of Sucuri, Inc. a client website had gone down due to a DDoS attack and eventually increased to a point that their webhost had to shut them down completely until the attack source could be identified and removed. What they discovered was that one attacker was using thousands of well known, popular and, at least from an average security viewpoint, clean and safe websites to launch their denial of service attacks from. How? By using a simple ping back request to the XML-RPC file containing the method call for a ping back.

Cid recommends that you disable the ping back function but the best way to do that is to create a plug in for that purpose. The plug in needs to add a filter the code for which he has here and Sucuri has a nice little tool for checking your own web to verify if you are being used for a DDoS attack or not.

In the early days of search engine optimization ping backs were often recommended as the traffic would aid in improving your search positions. Now Google and most of the other search engines are not using this data preferring a more rich content and contextual search to drive results. Ping backs simply provide one website an acknowledgement that another has linked to it. That’s it. Nothing more. It doesn’t improve SEO and now opens up a vulnerability that could be used to do more than just launch attacks on other websites.

If you are one of the 76+ million WordPress users and your company is dependent on both your website and keeping it secure, you may want to consult experts to provide you with the needed security precautions. Although the beauty of these systems early on was how easy they are to use, even for a novice webmaster, they are increasingly complex and WordPress is a big target that hackers find hard to resist.

Either way, you don’t need ping backs anymore and you should check regularly to make sure your site isn’t being used to attack others. It is still important to link to sources, particularly in the news and blog world, but the now useless channel that provides acknowledgement of that link is no longer needed.