I wish there was a way to shut down these sites. Maybe we need to have a license for WordPress site owners. If you're too stupid to keep your site updated, then you lose your license and the site goes offline.

Wordpress could also help by

1) disabling things that not everyone needs, like XML-RPC (used in this attack) by default.
2) making hardening easier - e.g. making /wp-admin easily relocatable
3) disable file editing by default - or remove the damn stupid misfeature altogether.
4) do not use the same default admin username on every install.

@graeme_p, yep.

I don't use wordpress for my own sites, but if a customer asks for it I warn them there will be ongoing maintenance costs to prevent them from being hacked.

I use an older version but can't upgrade as my host won't upgrade php to the level required to install the newer Wordpress.

@webdevfv, I had the exact problem (are you with Yahoo SB too by any chance?). The older WP's have serious security issues and your domain can be hijacked for a Viagra page that isn't even on your site. My entire site isn't in WP (thank God), just a blog was, so I said the hell with WP and moved the blog to Blogger.

Now all those bogus Viagra pages go to my 404 page where there's a link to my main page. Thanks for the free traffic jerks, lol.

I do have some sites running very old versions, but I have never faced any hacking problems. It's because I always password protect 'wp-admin' directory on all installations/versions.

Protecting the admin folder or other non public folders with .htaccess is always a good practice since those files can typically cause the most damage but I wouldn't depend on it for securing an installation. Public scripts can be just as damaging.

Security for any site is about layers and keeping up to date to remove exploits should be priority number one.

+1 thecoalman

"I have never faced any hacking problems."

What I suspect you mean is you've not yet been hacked into.

Simply observe the hack attempts, in your raw access logs. The bulk are clearly focussed on the WP framework.

Then decide if that level of abuse of your CPU and BW is not a problem.

Public scripts can be just as damaging.

When my sites were constantly under attack, my managed webhost put a password protect on my Wordpress login and Google slammed me with "increase in authorization errors" pointing to the login pages. Here's the discussion to that problem I raised [webmasterworld.com...] Traffic plummeted - not the drastic drop-from-the-cliff kind, but the slow-but-sure kind that is sooo hard to climb back up.

I had to put the WP login pages in my robots.txt file to get rid of Google's authorization error messages.

I moved to a different managed server webhost with stronger protection layers against hacking. So far, no problems. Keeping my fingers crossed.

Hacking is just something many website owners don't think about until it happens to them. Just like me. When I got hit -- and boy, it was non stop -- it was painful. Only then did I take protecting against malwares and hacking seriously, and now religiously updates every Wordpress install and plugins as soon as available.

>> Traffic plummeted

But if the traffic was from the bot attack this would make sense. No?

If you're too stupid to keep your site updated, then you lose your license and the site goes offline.

This attack has nothing to do with updates, though. It's just the way pingbacks work, and they're enabled by default in many content management systems, not just Wordpress.

Good point robzilla - I wan't very clear. I should have included "and locked down"

You can disable them in the Admin panel for all future posts/pages. To disable them for already published posts/pages in bulk [wordpress.org...]

But if the traffic was from the bot attack this would make sense. No?

NO - the big decrease was Google traffic. The bot attack came as referral traffic

WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack.

[edited by: lorax at 12:11 pm (utc) on May 23, 2014]

Let's be clear without the sensationalism. Pingbacks are a feature that WordPress allows. Some people find them useful, others find them less so. Some exploit the function to coordinate attacks.

Just because we have roads and people use those roads to deliver car bombs or crash their cars, doesn't mean the roads are a vulnerability. Roads can be used for bad and good - they're job is to allow transport. The job of pingbacks is to allow notification. Either one can be used against you. If you want a truly safe CMS then don't use a CMS.