Legitimate WordPress sites can be compromised and turned into a weapon to use as part of a distributed denial-of-service (DDoS) attack, according to security researchers. A HTTP-based distributed flood attack from more than 162,000 attacks recently brought down a larger site, with the victim WordPress site forced offline due to a tremendous amount of traffic.
Compromised websites likely didn't realize they were hijacked and used as part of the attack, though administrators can search for XML-RPC "POST" requests in website logs.
"Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites," said Daniel Cid, Sucuri CTO, wrote in a blog post. "Note that XML-RPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you're likely very fond of."
The affected site was allegedly targeted by a rival, though because the perpetrator was hiding behind so many WordPress websites, it's hard to prove responsibility.