WordPress blogger patch foot-drag nag: You're tempting hackers

Misconfigured and unpatched WordPress sites are causing a rash of problems both to themselves and the wider internet. In fact, this ever-present internet security threat has flared up again over the last week because of several new issues.

The most pressing problem involves a recent brute force amplification attack on WordPress-based website via the XML-RPC API. Researchers at Sucuri discovered a way to carry out the attacks against WordPress' built-in XML-RPC feature.

More details of a proof of concept demo of the flaw can be found here.

The vulnerability allows an attacker to bypass web server rate limits. The practical upshot is instead of limiting websites to one query with a one password at a time, the flaw means a hacker can now send one query with 500 passwords via XML-RPC API.

XML-RPC is a protocol for securely exchanging data across the internet. The technology supports the ability for an application to execute multiple commands within one HTTP request.

Attacks are happening against WordPress sites, so the bug is far from merely theoretical. El Reg has seen evidence that the XML-RPC vulnerability is being actively abused by hackers for all manner of malfeasance, from brute forcing passwords to attempting to take sites down.

Regular sites are getting affected by attack traffic even though the main brunt of the attack is being thrown against sites using the popular CMS platforms.

Separately, WordPress users need to make sure their Akismet anti-spam plugin is up to date following the discovery of an unrelated security bug. The vulnerability might potentially be exploited through cross-site scripting attacks.

Lastly, security researchers at Swiss firm High-Tech Bridge have identified a critical vulnerability in WordPress's Gwolle Guestbook plugin, which has over 10,000 active installations. The vulnerability, a PHP File inclusion, could result in an attacker controlling a filename or reading and writing files, as well as created the potential for hackers to push arbitrary code onto target systems.

WordPress has a bad name when it comes to security but vulnerabilities are normally patched quickly.