Although WordPress has become increasingly popular over the years, it isn’t without its flaws. Due to it being an open source platform, it has been prone to holes in security, which has been a topic of discussion lately with thousands of WordPress websites used as DDoS zombies.
Securi, the security research organisation, has reported that pingbacks – which provide backlinks to WordPress blog posts – have been the subject of manipulation recently by anonymous hackers in a bid to launch a wide distribution of DDoS (denial of service) attacks.
Securi has been keeping an eye on the situation, drawing attention to an attack that involved over 162,000 WordPress websites and generated hundreds of IP requests to just one WordPress site.
Security Operations Manager Sean Power, from DOSarrest, a security vendor of DDoS, said that with older versions containing vulnerabilities, hackers are able to take advantage. He said:
“This is nothing new – in fact, it was first recognised back in 2007. Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks.
“The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners.”
Power continued to say that it just goes to show how users are failing to update their WordPress sites, because if that was not the case, the now resolved flaw in the system could not be used for DDoS attacks.
Until they do, it wouldn’t hurt those applying for information security vacancies to have WordPress security on their CV.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.