An easy yet serious application-level denial of service(DoS) vulnerability is discovered in WordPress CMS platform. That could allow any one to take down your website easily. Every WordPress website is under this vulnerability and still remain unpatched.
Recently my website take down by this attack. My website is running smoothly as always, suddenly I saw increase of 30K hits which is very strange. After 30 minutes my hosting provider send me a mail about high CPU usage and my website is take down. That means any website can taken down by this attack.
After that, I am very frustrated to find out what is actually happened. I am checked my website log file and found unusual traffic on my wp-login page. Also I found a DoS vulnerability on my WordPress website.
How DDoS Attack Works
The discoverer of this vulnerability is contacted WP through hackerone. But they refused to acknowledge it and claimed that: “This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.” That means currently the vulnerability remains unpatched on every wordpress version. This is very frustrating because wordpress powered 30% of Internet.
No Patch Available – Mitigation Guide
Yet I am not a developer, but I block this vulnerability on my web host. That’s why my website is running. You can do this by pasting this code on wp-config file
define( 'CONCATENATE_SCRIPTS', false ); (to block all concatenated scripts). And blocking load-scripts.php via .htaccess if Apache 2.4 then paste:
#Protect load scripts on Apache 2.4
Require all denied
for other apache server use
Deny from all
That’s all way to block DoS attack.