Now that things have calmed down, it’s time to discuss what happened that took WPTavern.com offline. It all started the day I published my review of the Backup Buddy plugin from PluginBuddy.com. That post not only received a large number of comments, but it ended up on StumbleUpon and was overall a large success. However, a few hours after that post had been published, I started to receive a large number of trackbacks to that particular post. The trackbacks were from different URLs which appeared to be junk domains. The site was setup so that an article was published near the top of the page and below the article was a list of related links. Each one of those related links pointed to a source outside of the parent site. I chalked all of these trackbacks as just typical splog spam and didn’t think nothing of it.
The next day, I woke up to see at least 50 more trackbacks in my Akismet queue all pointing to the Backup Buddy review post. When I started to look at the various junk domains, I noticed that the word Backup appeared to be the keyword these sites were after. Again, I deleted the trackbacks as I thought it was typical to see a large number of illegitimate trackbacks on a post that was popular. Things started to get interesting once I published the winners to the Backup Buddy give away as well as the WPTavern Backup Buddy coupon posts. At the time, I didn’t know this but I now realize that those extra posts with Backup in the title were adding fuel to the fire. I started to receive a large number of trackbacks on those posts with the word Backup in the title. I just kept deleting the trackbacks thinking nothing of it.
After I came home on March 9th, I took a 4 hour nap as I was exhausted from working on 4 hours sleep. During this time, AnHosting decided to suspend my account due to processor overload. Thanks to everyone on twitter for your concern as it prompted me to wake up and get into action. Since I couldn’t access cPanel or anything else tied to my account, I visited the AnHosting web page which gave me the option to perform a live chat with a technician. They explained to me that XMLRPC.php and Index.php were the two culprits sucking up all the CPU power. Once I told them I would disable XMLRPC on WordPress as well as disable trackbacks and pingbacks, they temporarily restored my site. After disabling those, I also used a trick I learned from Brad Williams where I viewed the source code on the index of the site and pasted that into index.html and renamed index.php. This was just in case a large amount of human traffic was the source of taking down the site. However, it struck me as odd that Woopra showed no signs up a large influx of human traffic on the site during that time or just prior to the site being suspended.
Once I renamed XMLRPC.php and index.php, the CPU on the server immediately went back to stable levels. However, WordPress needs index.php to function properly. Thanks to this line of code from Will Anderson, I was able to successfully use index.php without the scrapers being able to access it.
if ( '/index.php' == $_SERVER['REQUEST_URI'] ) {
header('Location: http://wptavern.com/');
die('Do not request this file directly');
}
According to Will Anderson, this is just a little redirection code with the hope that the scrapers will not be able to handle the redirect. Oddly enough, it worked and prevented index.php from being loaded by an external source. I say external source because according to Woopra, the source of the CPU overloading was not caused by human beings browsing the site. Instead, some type of software whether it was a bot or something else was loading my index.php file and either scanning the content for posts or doing something else. The irony to all of this is that during the attack, I noticed a comment in the Akismet queue advertising Trackback Submitter software. I’m pretty sure that XMLRPC deals with Track/Pingbacks in WordPress and if that’s the case, that would explain why that file was used so heavily. Once I was able to navigate within the administration panel of WPTavern, I noticed I had over 250 trackback spam links waiting in my Akismet Queue. While some of the IP addresses attached to them were the same, a large number of them were different. Also, the webhost for these junk domains also varied. It was as if I was attacked by a distributed denial of service through trackbacks. A cheap ass way to take a down a site in my opinion.
This is the first time I’ve ever experienced something like this. I really want to thank the tech support guys from AnHosting for allowing me to chat with them directly and work on resolving the issue. Obviously in a shared hosting environment, one bad apple can take down the whole tree. I apologize for being that bad apple. Furthermore, although Ozh had different reasons for doing so, I am highly considering disabling trackbacks/pingbacks for good considering I’ll see incoming links from either the Incoming Links dashboard widget or through other analytic software. Alternatively, I can use a plugin called Simple Trackback Validation which so far, has received a lot of good feedback from those who have used it.
I can’t believe how easy it was to perform a DoS attack on WPTavern.com through the use of trackbacks and XMLRPC. Although not an inherit flaw within the WordPress software, I wonder if anything should be done to prevent this sort of attack from happening? In fact, what can be done by WordPress to help prevent this from happening? If the Simple Trackback Validation plugin is as good as what people have told me, I’m guessing it could be absorbed into core?
