Incapsula reports that a recent DDoS attack against a large gaming Web site was launched from approximately 2,500 WordPress sites, including trendmicro.com, gizmodo.it and zendesk.com.
According to Incapsula, the sites hadn't been compromised -- the attackers just leveraged an existing WordPress vulnerability.
"WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site," writes Incapsula's Gur Shatz. "The functionality should be used to generate cross references between blogs, but it can just as easily be used for a single machine to originate millions of requests from multiple locations."
And Shatz says most WordPress sites are vulnerable to this kind of abuse, simply because it's enabled by default -- it was disabled by default until the release of WordPress 3.5.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them," Shatz writes.
According to Shatz, though, it's easy to fix -- simply log into your Web host's control panel and delete or rename xmlrpc.php in the root directory of your WordPress installation.