by Subscriber Feed

Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri.The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours, said Daniel Cid, the CTO of Sucuri, in a blog post Monday. The affected site wasn’t named.The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that’s used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007.”Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” Cid said in the blog post.The recent incident investigated by Sucuri attackers sent XML-RPC requests to legitimate WordPress sites instructing them to make pingback calls to randomly generated URLs on the targeted site.