I was notified on Twitter the other day that there was a new 0 Day denial of service exploit for WordPress. When asking on Twitter if it worked, numerous people replied that the published code did work and was taking down their sites. This raised some red flags for me so I jumped into the WordPress-Dev IRC channel to figure out what was going on.
The way this denial of service attack works is that a random search string is sent to the search form of a WordPress based website. Caching plugins do not work against this because the search string is randomized. It’s quite simple but what I’ve been told is that this is not an issue for WordPress to handle. Instead, this attack should be dealt with by the webhost on a firewall level. At one point, a ticket was created by Scribu but has since been closed as won’t fix.
So at the end of the day, the best defense you have is a competent webhost that will do their part to prevent these attacks from happening. No reason to be alarmed.