Main Nav

I know a lot of you use WordPress. How many of you explicitly disable pingbacks? Have you had any trouble doing this from your users?

 

http://krebsonsecurity.com/2014/03/blogs-of-war-dont-be-cannon-fodder/

 

He links to a list of the more than 42,000 WordPress sites that were used in the attack on him, and there are 345 “.edu” sites in the list (some are not top level, but I think those are non-us educational sites). Including one for the California State University system, some at Harvard, the University of Texas and the University of Michigan.

 

Jason Brady * Web Developer * San Bernardino Community College District *

441 W. 8th Street, San Bernardino CA 92401 *

Tel 909-384-8691 * Mobile 951-295-9515 * Fax 909-885-3371 * jbrady@sbccd.cc.ca.us

 

CONFIDENTIALITY: This email (including any attachments) may contain

confidential, proprietary and privileged information, and unauthorized

disclosure or use is prohibited. If you received this email in error,

please notify the sender and delete this email from your system. Thank

you.

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

From reading the article, I’m not clear how WordPress is being used to launch attacks.

 

Aren

 

Hi Jason,

 

I’m not totally sure about ping-backs, but I think this is probably related:  we became aware this week that Wordpress 3.5 and above automatically enabled XML/RPC mobile publishing capability.   http://wordpress.org/support/topic/solution-to-xmlrpcphp-vulnerability

 

What we’ve done on this end is two-fold:  we’ve disabled the capability of logging into our Wordpress environment *except* from our campus network.  Remote users can VPN and publish.  If that’s not an option, there’s a plugin that will automatically disable that remote-publishing capability:

https://wordpress.org/plugins/disable-xml-rpc/ which is key.  We’ve done this for a couple of sites we have that are “off the ranch,” so to speak.

 

Hope that helps!

 

Chuck

 

=======================================

Chuck Wyatt

Manager of Web Technical Services

Information Technology Services ▪ Clark University 

(508) 793-7535

 

 

 

At the end of the article is a link to an OpenDNS article that says they exploited the XML remote procedure call.

http://labs.umbrella.com/2014/03/13/wordpress-ddos-visibility-opendns/

 

Hope this helps clarify,

~ Heidi

 

[cross-posting the same response sent to UWEBD]

Here’s another quick writeup on the XML-RPC attacks that might be worth reading, from WP Tavern: http://wptavern.com/how-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks

If you aren’t using pingbacks/trackbacks and your users don’t depend on the integrations with WordPress XML-RPC (for connecting with the mobile WordPress app, for example), now might be a good time to consider disabling that feature…

That link above has the simple plugin code that you could use (presumably you could put in your theme’s function.php too if you don’t have access to create plugins for some reason). And here’s another approach via .htaccess that can help lock down the xmlrp.php while still whitelisting desirable IP addresses: http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/ (or at least I’m pretty sure this also fixes the current DDoS attack issue? if someone knows differently, let me know!)

I’m also interested in the discussion about whether trackbacks and pingbacks are even useful now that blog sites are so numerous and given that so many of them come from auto-reposting spam blogs  (these types of “comments” were more interesting back in the day, at least in my experience). Have social media and better search tools reduced the need for these automated notifications?

Best,
Adam Norwood


--
Senior Web Strategist :: Senior Web Developer
UT Web Technologies and Infrastructure Subcommittee
University of Texas School of Law
(512) 471.3040     @anorwood

From: <Brady>, Jason W <jbrady@SBCCD.CC.CA.US>
Reply-To: The EDUCAUSE Web Administrators Constituent Group Listserv <WEB@LISTSERV.EDUCAUSE.EDU>
Date: Friday, March 14, 2014 at 2:18 PM
To: "WEB@LISTSERV.EDUCAUSE.EDU" <WEB@LISTSERV.EDUCAUSE.EDU>
Subject: [WEB] WordPress Pingback feature used for DDOS attacks

I know a lot of you use WordPress. How many of you explicitly disable pingbacks? Have you had any trouble doing this from your users?

 

http://krebsonsecurity.com/2014/03/blogs-of-war-dont-be-cannon-fodder/

 

He links to a list of the more than 42,000 WordPress sites that were used in the attack on him, and there are 345 “.edu” sites in the list (some are not top level, but I think those are non-us educational sites). Including one for the California State University system, some at Harvard, the University of Texas and the University of Michigan.

 

Jason Brady * Web Developer * San Bernardino Community College District *

441 W. 8th Street, San Bernardino CA 92401 *

Tel 909-384-8691 * Mobile 951-295-9515 * Fax 909-885-3371 *jbrady@sbccd.cc.ca.us

 

CONFIDENTIALITY: This email (including any attachments) may contain

confidential, proprietary and privileged information, and unauthorized

disclosure or use is prohibited. If you received this email in error,

please notify the sender and delete this email from your system. Thank

you.

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.