Wordpress DDoS Zombies: Battle heritage and SEO

WordPress, the world’s most popular content management system, was rocked earlier this month by a large scale DDoS attack. After the attack many website owners were shocked to learn that the attack was enabled by  a WordPress core feature, which allows hackers to launch massive DDoS attacks against virtually any WordPress site,. This vulnerability was reported over a year ago and, as of today, is still not resolved.

The Mechanics of WordPress DDoS

How did these hackers manipulate WordPress to do their malicious bidding? Their method of mischief involved duping XML-RPC pingback. Recent versions of WordPress come with the XML-RPC pingback feature already enabled. This feature allows WordPress sites to communicate with each other through post and comments. When enabled the feature will automatically notify you each time your domain name is mentioned in post and comment on another WP site. 

Source: Incapsula Website Security

In the attack mentioned above, the hackers sent thousands of pingback requests to a herd of   162,000 “voluntary” WP bots, with the return address pointing to the target site. As a result, all at once, the target WP site received a DDoS wave of XML-RPC requests. Most sites can’t handle more than a hundred requests per second, and consequently the hackers succeed in bringing down the target site for several hours.

These hackers used unwitting WordPress sites to attack a fellow WordPress user. Now the million Gb question of the day: was your WordPress site part of the attack?

SEO and DDoS Zombies

As mentioned earlier, this devastating DDoS attack relied on the unknowing participation of over a hundred thousand ‘honest’ WordPress sites. Although the abused sites themselves had no indication about their role in the attack (their processing system might have slowed temporarily), their malicious ‘behavior’ may not go unnoticed by Google, who tracks websites’ online reputations and uses it as one of their SEO metrics.

Source: Google Safe Browsing Initiative

If Google suspects that your account is being used for malicious purposes, it may flag your site as ‘compromised’. The result is blacklisting – a severe demotion of the site in Google index, to the point of complete removal, coupled with a warning saying ‘This site may be compromised’ shown to everyone who can still somehow find you on search. 

Google states that, in the past few years, over 130,000 sites went through the process of “blacklist recovery” and it safe to assume that the overall number of blacklisted sites was much higher than that.

It should be noted that even if your WordPress is not used in a DDoS attack, there are several other ways your site could be abused, potentially damaging your SEO rankings. One common method is for hackers to have zombie browsers post comments on your WordPress with links back to another site. This illegitimate method of boosting SEO is called link farming, and it can send serious warning signs to Google’s page crawlers if you’re not careful. Other, more complex methods, involve hacking your database and your admin passwords to inject the site with malicious files that will inject Trojans into the computers of your visitors. 

Only You can Prevent Pingback DDoS Attacks

The best method for saving your SEO is preemptive security. Arm yourself with strong security software or 3rd party protection, and ere on the side of caution when browsing the web. Malware and Trojans come in many forms—make sure you only open files that you know to be safe.

However, if you are only concerned about the Pingback DDoS exploit, you have few other options.

Website security provider, Incapsula, who was first to report WordPress DDoS attack in April 2013 suggest renaming or deleting the xmlrpc.php file from the root directory of your WordPress, which will prevent further abuse but also disable the original pingback functionality.