Beware! WordPress Security Issues Discovered

In a somewhat ironic twist, popular cybersecurity blog Krebs on Security recently suffered a cyber attack.  The site, just like ours and at least 60 million others out there, is built on WordPress, and the attack illuminated some troubling WordPress security issues.  So what exactly happened and how can you prevent this from happening to your WordPress site?

First of all, Krebs wasn’t the only site to experience the breach.  It was actually a distributed denial of service (DDOS) attack that affected about 162,000 WordPress sites!  According to Krebs, the hackers used the “pingback” function that WordPress includes with their platform.  This function allows the site owner to get “pinged” back (or notified) when an outsider links to a certain page of their site.  While clearly a somewhat useful feature,  it’s apparently low hanging fruit for the more mischievous.

So what’s the fix? Pingbacks, by the way, are enabled by default and most WordPress users tend to glance over the feature.  Here are a few ways to deal with the issue:

1. Disable pingbacks!  Go to Settings > Discussion and uncheck:

• Attempt to notify any blogs linked to from the article
• Allow link notifications from other blogs (pingbacks and trackbacks)

2. Install this plugin

3. Create your own plugin for your site and upload it via FTP.  It must include the following code:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );

Krebs’ post also pointed to this nifty tool to see if your site was used in the recent DDOS attack.  Thats right…some WordPress websites were used to attack other sites without the owner’s knowledge!  Imagine being sued for something that your website did without your knowledge.  Definitely not a fun liability.  At least your Cyber Liability Insurance will kick in to cover you, right?

WordPress security issues resolved.  Update your settings right now!