DDOS from WordPress (.com?) sites

  • Unknown's avatar
    douglaspaulthiel · Member ·

    A recent [article](https://krebsonsecurity.com/2014/03/blogs-of-war-dont-be-cannon-fodder/) by Brian Krebs suggests using a seemingly unsupported widget to [Disable XML-RPC](https://wordpress.org/plugins/disable-xml-rpc/) that would prevent a WordPress site from taking part in DDOS attacks of a certain type. Can you please allow that widget on WordPress.com sites? While my sites were not part of the attack it is probably only a matter of time before they are even though I’ve changed the settings mentioned in the article. This is due to past posts.

    The blog I need help with is: (visible only to logged in users)

  • Unknown's avatar
    daclements · Member ·

    Hi Douglas,

    WordPress.com is a managed version of the open-source WordPress project, which can be run on any server. We very carefully manage and monitor our security (which is the main reason that plugins cannot be installed on our site), whereas these types of attacks are targeted to users who have installed WordPress themselves, but don’t know what kind of precautions to take for security’s sake.

    I can assure you that your site is in good hands and the security of your site is even more important to us than it is to you, so we actively look out for issues like this and take proactive action.

    If there’s anything else I can help you with, please let me know.

  • Unknown's avatar
    douglaspaulthiel · Member ·

    Thanks for the assurance. It is appreciated.

    While I appreciate the WordPress.com is monitored, monitoring is a passive activity and it does seem that all our blogs are open to be used in the attack in question where the two options are checked by default:
    -Attempt to notify any blogs linked to from the article
    -Allow link notifications from other blogs (pingbacks and trackbacks)

    Can you comment on those options in relation to the DDOS attack specifically? For instance, should WordPress.com bloggers uncheck those items to be safer? If that is not the case how is the attack prevented on WordPress.com beyond monitoring?

    Thanks again.

  • Unknown's avatar
    daclements · Member ·

    Hi Douglas,

    I have checked in with our security teams, who were made aware of the issue as soon as it came to light, and are actively working on creating a fix for this issue.

    There is no need for users to disable this functionality, as we will actively block the malicious application while permitting normal and honest use of this tool.

    Thanks

  • The topic ‘DDOS from WordPress (.com?) sites’ is closed to new replies.