back to article And as for actual WordPress pingbacks .... you should probably switch 'em off

More than 26,000 WordPress sites have been enslaved and used in a recent distributed denial-of-service attack campaign using a vulnerability first described in March 2014. The layer seven attacks exploit the pingback feature activated by default on WordPress sites, which informs other sites when they have been linked to. Those …

  1. Anonymous Coward
    Anonymous Coward

    No site hardening tips for us on the attacked end?

    Fine I'll give one. As a first line of defence, you could drop connections with "WordPress" in the user agent, in nginx.

    You ARE using nginx right?

    1. Anonymous Coward
      Anonymous Coward

      Remove plugins and themes you don't need, and install All In One WP Security and just follow the built in instructions and disable as much as you can (pingback is in the "Firewall" tab). Besides pingback there are also XML-RPC weaknesses you best kill off unless you use an app, and you may want to consider removing the Jetpack.

      Basically, if you had done what we said the last time there was a problem this should not have been a concern for you :)

    2. Fazal Majid

      Too late

      The cost of an HTTPS connection is in the initial TLS handshake and key exchange. By the time nginx sees the user-agent header, the harm is already done.

      1. Anonymous Coward
        Trollface

        Re: Too late

        Why the hell would you use HTTPS on a crap-for-security Wordpress site?

        1. Mike 16

          Re: Too late

          -- Why the hell would you use HTTPS on a crap-for-security Wordpress site? --

          Perhaps because browser vendors are hell-bent on making sure normal people will never see a site unless it's https with a cert issued by one of their favorite criminal gangs^W^W CAs.

          1. Fazal Majid

            Re: Too late

            Let's Encrypt works quite well and is free.

            HTTPS because in the post-Snowden era, everything should be encrypted by default.

  2. Ray Merrall

    Er! There is a way to get https:// on a WP site for free through Cloudflare. A few drawbacks if you use media drawn from other sources, but nothing you can't work around. It's not all the bells and whistles, those cost, but it works.

    1. Anonymous Coward
      Anonymous Coward

      My ISP offers them for free, all my sites have a Geotrust Secure Site starter DV SSL cert, which is SHA-256 with RSA encryption and a 2048bit key size. Some of these sites are WP, some Joomla, all of them using two factor logins because that too is free (Joomla has it built in, WP still needs a plugin for it).

      They're using a fairly tightly secured Apache on FreeBSD, which has as only disadvantage that that anything with images has to do without ImageMagick or GraphicsMagick support.

      So the question is not "why", but "why not" :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like