Akismet, the popular WordPress spam prevention plugin by Automattic, has released an update with a number of fixes, including two to address recent reports of DDOS risks in WordPress related to pingbacks.
The post describes the two points that address the pingback issues:
- “Include X-Pingback-Forwarded-For header in outbound WordPress pingback verifications.”
- “Add a pre-check for pingbacks, to stop spam before an outbound verification request is made.”
In addition, Alex Shiels states that some of the previous reports were overblown:
There was a news cycle a few days ago about “WordPress pingbacks being used to DDOS sites” which had a lot of misinformation and hyperbole, but there were two valid issues which the last two bullet points address: anti-spam checks were done after a pingback was verified, and WP didn’t pass on who made the request that caused it to verify a pingback (effectively cloaking the true source).
I don’t believe he’s referring to the Sucuri report as being overblown, but perhaps some of the many others that were made in response to Sucuri’s findings. One of the more interesting posts I saw in relation to the coverage of the story was from Steve Ragan on the Salted Hash blog, and I actually think he was pretty fair in his analysis.
I think Akismet’s update reaffirms Ragan’s stance; it was definitely a real issue, and Akismet has responded with improvements for handling pingbacks. Alex even notes that he believes the fixes could be viable candidates for core patches:
This update to Akismet addresses both, and we think a similar approach may be appropriate for core in a future release.
This has been an interesting story to follow, and I’m happy to see some resolution from Akismet, a plugin in the security space with a very broad reach.
