New DoS Attack Targets WordPress (Again)

At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.

On Feb 6th 2018, an Israel security researcher discovered a new denial of service attack for servers with WordPress. The vulnerability is easy to discover and easy to exploit remotely and anonymously.

WordPress claims to support 29% of all websites worldwide. These types of easy-to-monetize vulnerabilities in WordPress trouble companies of all types, and especially should worry cyber insurers, who may have large portions of their portfolio at risk.

Additional technical details of the vulnerabilities can be found here.

Severity of a WordPress DoS attack

Many companies will wonder why an attacker might want to attack their WordPress blog, but in fact, this type of vulnerability is easily monetized by unsophisticated hackers.

Attackers will demand ransom payments in cryptocurrencies after demonstrating that they have ability bring down a site. They perform this type of attack in bulk and target victims indiscriminately.

The worst case scenario for a company is if it’s WordPress-powered site is critical for business or is stored on the same server as critical assets.

This vulnerability allows attackers to deny users access to all sites stored on a server and all content and services will be inaccessible to users.

In the “best case”, the WordPress site is non-critical for business and is on a segmented server. In this case, an attack would bring down the WordPress blog/content but not meaningfully impact business operations.

Likelihood of WordPress DoS attack

As mentioned above, attackers will make this attack indiscriminately. They use search engines (such as Shodan) to automate the discovery of websites with WordPress. They can easily automate the process to attack large batches of companies.

Easily automatable vulnerabilities lead to a high probability of attack.

Impact on cyber insurance

This WordPress vulnerability is one of many threats that lead to a denial of service and extortion threats.

These types of attacks are likely to lead to the following types of insurable damages:

1. Extortion: cryptocurrency payment demanded by the attacker
2. Business interruption: lost revenue from the downtime of the WordPress site and other sites on the same server
3. Incident response: the costs of contractors to help respond to an incident

How to protect against attacks

To protect against this attack, companies should protect the following resources: /wp-admin/ directory and your /wp-admin/load-scripts.php.

There are at least three ways to mitigate the risk of this particular attack:

1. Rate limit the requests to the WordPress resources. This provides limited protection since a determined attacked can use a Distributed Denial of Service attack to bypass this security measure.
2. Install a WordPress Security plugin such as WPS Hide Login or WP Hide & Security Enhancer.
3. Install a Web Application Firewall (WAF). Proper deployment of a WAF with a correct ruleset will mitigate this new risk and many others to your web server and its applications.

Etai Hochman

At-Bay, CTO