They say that the more popular you are, the more attacks you get. This is so true with WordPress right now. The massive code injection and hidden links on WordPress blogs are getting some serious coverage and just tonight I discovered another form of attack — the WP Trackback Spam flooding.
The attack is simple yet effective — flood wp-trackback.php with HTTP requests. It’s like a DDOS actually. There could be several ways to do this:
- Software-driven. I’ve seen some softwares that can do 1,000 HTTP simultaneous requests to a site or specific webpage.
- Code embed. Add the target page (in this case, wp-trackback.php) into a popular page or site which requests for it at every page load. Replicate that on many other high-traffic sites and viola, instant slashdot effect.
- Bots. Similar to a GoogleBot or Yahoo! Metacrawler but these type have malicious intent only goes after a specific page — wp-trackback.php.
It’s hard really. Took me about 6 hours monitoring one of our servers where a blog was attacked. The attack would seem like a Digg-effect or a slashdot effect. However, any anti-Digg solutions would not work — even WP-SuperCache could not fend it off. Then it struck me, maybe the page is not being cached.
A check with the analytics showed this:
WP-Shortstats was tracking it. Thousands of trackback requests for almost all pages in the blog in a matter of hours.
What made it worse is that the wp-shortstats plugin is also recording this — meaning for each page request, there’s a corresponding SQL query executed by Shortstats that’s aggravating the situation.
The result — slow, crawling blog; eventually, an overloaded or crashed server.
The solution? Deactivating trackbacks won’t help. You need to delete wp-trackback.php or CHMOD it to 000. If you can identify the IP, block them too.
Your blog won’t be able to send/receive legit trackbacks but it’s the only solution for now.