Any WordPress site with Pingback enabled (which is automatically set to “On” by default) is vulnerable to an exploit that could use their WordPress site in a DDoS (Distributed Denial of Service) attack against other websites.

The XML-RPC Pingback feature of WordPress allows you to notify (or ping) a site that you linked to their content. Unfortunately, this feature can be utilized by an attacker with a single malformed request to the xmlrpc.php file on your WordPress site to launch an attack against another site on the Internet.

The Security firm Sucuri Inc, reported on their blog a detection of this exploit in the wild which was using more than 162,000 WordPress sites for their DDoS attack. The popular Internet Security site KrebsonSecurity.com was also a victim of another DDoS attack comprised of 42,000 WordPress blogs using this exploit according to their report.

WordPress is aware of this exploit and does not currently have plans to resolve this issue in upcoming versions.

WordPress bloggers can disable pingback on any new posts by clicking on “Settings” >> “Discussion” and removing any check-marks next to the following options:

• Attempt to notify any blogs linked to from the article
• Allow link notifications from other blogs (pingbacks and trackbacks)

This fix will only prevent any future WordPress posts from being exploited into a DDoS attack. This does not prevent previous WordPress posts from being exploited.

A safer solution would be to disable XML-RPC entirely using the Disable XML-RPC WordPress Plugin. Please note that this may also disable some features of other WordPress plugins that rely on XML-RPC and Pingback, notably the Jetpack WordPress Plugin. For users of Jetpack, or any other plugin that requires XML-RPC, you may want to install the Disable XML-RPC Pingback WordPress Plugin instead, which selectively disables only the Pingback feature.

We have verified that currently no Scarab Media, Project A Inc customers have had their WordPress sites exploited in this manner. If you have a WordPress site and would like to know if your site has been utilized in a DDoS attack, you can check your site address at the WordPress DDOS Scanner and at KrebsonSecurity.