WP Trackback Spam Attack

They say that the more popular you are, the more attacks you get. This is so true with WordPress right now. The massive code injection and hidden links on WordPress blogs are getting some serious coverage and just tonight I discovered another form of attack — the WP Trackback Spam flooding.

The attack is simple yet effective — flood wp-trackback.php with HTTP requests. It’s like a DDOS actually. There could be several ways to do this:

Software-driven. I’ve seen some softwares that can do 1,000 HTTP simultaneous requests to a site or specific webpage.
Code embed. Add the target page (in this case, wp-trackback.php) into a popular page or site which requests for it at every page load. Replicate that on many other high-traffic sites and viola, instant slashdot effect.
Bots. Similar to a GoogleBot or Yahoo! Metacrawler but these type have malicious intent only goes after a specific page — wp-trackback.php.

It’s hard really. Took me about 6 hours monitoring one of our servers where a blog was attacked. The attack would seem like a Digg-effect or a slashdot effect. However, any anti-Digg solutions would not work — even WP-SuperCache could not fend it off. Then it struck me, maybe the page is not being cached.

A check with the analytics showed this:

wordpress trackback

WP-Shortstats was tracking it. Thousands of trackback requests for almost all pages in the blog in a matter of hours.

What made it worse is that the wp-shortstats plugin is also recording this — meaning for each page request, there’s a corresponding SQL query executed by Shortstats that’s aggravating the situation.

The result — slow, crawling blog; eventually, an overloaded or crashed server.

The solution? Deactivating trackbacks won’t help. You need to delete wp-trackback.php or CHMOD it to 000. If you can identify the IP, block them too.

Your blog won’t be able to send/receive legit trackbacks but it’s the only solution for now.

Abe Olandres

Abe is the founder and Editor-in-Chief of YugaTech with over 20 years of experience in the technology industry. He is one of the pioneers of blogging in the country and considered by many as the Father of Tech Blogging in the Philippines. He is also a technology consultant, a tech columnist with several national publications, resource speaker and mentor/advisor to several start-up companies.

https://www.yugatech.com

29 Comments

Dark Knight says:

17 years ago

I can’t believe people are doing this to my blog. Tsk. Tsk.

:)
Dark Knight
BlueMumble
- Reply
ash says:

17 years ago

wait. how would I be certain that I am being attacked? is it when I see the wp-trackback.php on the anlytics?

I noticed some slowdown and database error yesterday on my blogs…
- Reply
Abe Olandres says:

17 years ago

@ash, that’s the only way I was able to detect the attack. caused the server to slow down and crash at times. Looks like your blog is on that server too.
- Reply
ash says:

17 years ago

oh!.. still great it’s fixed… thanks.
- Reply
SELaplana says:

17 years ago

i don’t know if my selaplana.com experience this. i tried to investigate but i don’t know yet how to know if the blog has been attacked by this kind.
- Reply
Showbiz Intriga? Get It From Boy! says:

17 years ago

OMG! i believe this is culprit, that’s why last month my host server to crash several times and my blog too..

CHMOD to 000?is it just like deleting the wp.trackback thing??
- Reply
olga says:

17 years ago

Good 235rter2rwer23r
- Reply
mike says:

16 years ago

Xeto6s hi! how you doin?
- Reply
maxmud says:

16 years ago

aSvUJA i just whant to say
http://trustedsitelist.com/search.php?q=v-seo-deneg-net
- Reply
netsearchworld.com says:

16 years ago

And who does not wish to pay for a hosting, is urgent here – the best free web hosting!
- Reply