In a statement sent to a handful of journalists, addressing reports that 162,000 WordPress installations had their XML-RPC functionality (pingback) abused in order to launch a DDoS attack, Jason Cohen, the CTO and founder of WP Engine, said that some people in the media have "incorrectly and unfairly characterized this as a 'security vulnerability' within WordPress..."
Cohen's statement says that calling the risks associated with the XML-RPC implementation used by WordPress a security issue - which make no mistake, that's exactly what it is - is a "cruel and unfair twisting of the facts." He goes on to explain what the pingback function does, calling it "an altruistic, friendly, social system."
As I mentioned in my previous coverage, the attackers used pingback exactly as it's supposed to be used. The difference is that they bypassed caching and other offsetting protections built into WordPress, by calling for pages that didn't exist on the victim's website.
Given that WP Engine uses XML-RPC, or more importantly the pingback function, it isn't shocking to see them attempt to downplay the security issue. But it isn't cruel to call a spade a spade. The risks associated with pingback and XML-RPC have been known for years, seven to be exact.
While WordPress developers have worked long and hard to fix many of the issues that previously plagued the protocol, the pingback function itself can, has been, and will be abused.
In addition to the 162,000 abused websites that were previously covered on the Hash, on Wednesday this week, journalist Brian Krebs had his website taken offline when more than 41,000 WordPress installations were used to initiate a DDoS attack against krebsonsecurity.com. He recovered domain by filtering out pingback acceptance.
So yes. This is a security issue. The risk associated with seeing your domain used to launch a DDoS attack isn't something to be taken lightly, especially if the WordPress installation is to be used for business reasons – a common usage for the platform.
In his statement Cohen explains that pingback, as it's used today, has existed since 2002. This is correct, but the fact that pingback pre-dates WordPress, or exists in Movable Type, Typepad, Drupal, Joomla, Serendipity, or Telligent, doesn't change the point of the story – pingback is a security issue, and it poses a risk.
"When you know that essentially all blogging software since the dawn of blogging has used exactly this protocol in exactly this way, it seems a little strange to say that, because WordPress supports it, it’s a 'security vulnerability.'"
No it doesn't, that's logic. If a function in XML-RPC can cause harm to the website, either directly or indirectly (such as downtime due to host suspensions because the domain is attacking other websites), that's a vulnerability.
"In fact, I think the 'news' should be that it took people 12 years to realize that this ubiquitous social contract of the Internet could be abused in this fashion. The only reason that WordPress was targeted in the news, in my opinion, is that WordPress itself is ubiquitous, powering 20% of all domains on the Internet today..."
Abusing pingback to launch DDoS attacks has been a thing for script kiddies and criminal rent-a-hacker types for years. It's fast, requires almost no bandwidth, and can be automated with a few scripts. Click, click, done. As for the reason WordPress was mentioned ahead of the others, that's because the source of the attacks were WordPress domains.
"Having said all that, of course it’s reasonable to point out that for many site owners, perhaps the benefit of supporting pingbacks isn’t worth the risk of this new type of attack abusing your site."
All this time and ink spent defending the open source platform you bundle and sell as a service, only to restate the point made in several articles on the topic, including my own.
Pingbacks are a risk. And a risk can be a security issue too.
The original article is here, including three options for mitigating the pingback risk on your WordPress installation.