WordPress Search Based DOS Attack

January 1st, 2010
WordPress Security

I was notified on Twitter the other day that there was a new 0 Day denial of service exploit for WordPress. When asking on Twitter if it worked, numerous people replied that the published code did work and was taking down their sites. This raised some red flags for me so I jumped into the WordPress-Dev IRC channel to figure out what was going on.

The way this denial of service attack works is that a random search string is sent to the search form of a WordPress based website. Caching plugins do not work against this because the search string is randomized. It’s quite simple but what I’ve been told is that this is not an issue for WordPress to handle. Instead, this attack should be dealt with by the webhost on a firewall level. At one point, a ticket was created by Scribu but has since been closed as won’t fix.

So at the end of the day, the best defense you have is a competent webhost that will do their part to prevent these attacks from happening. No reason to be alarmed.




  1. Baris Unver (17 comments.) says:

    This could be a temporary solution:
    (disabling the search function until the flaw is fixed)

  2. Baris Unver (17 comments.) says:

    Wait! This is better and working:

  3. Michael (12 comments.) says:

    I guess this potential issue doesn’t exist if you use Google search on your site.

    • tricky says:

      I do use Google custom search for my WP powered blog, but you can still use the ?s= query

  4. Lloyd Budd (22 comments.) says:

    Jeff, thanks for posting this here. Some of the details you have posted here would also benefit the ticket. Also, I don’t think it would be a bad idea to include links to related discussions on this issue.

    The nature of the issue is not specific to search, nor WordPress. For any significant site there are enough permutations to flood most hosting — the limitations (“features”) of many hosting plans kick in before that.

    Caching solution and tuning could reduce the impact, though any white listing and crippling solutions would be challenging to generalize. I do think there is opportunity here though.

  5. Ryan (55 comments.) says:

    Is this really new though? It’s just a DOS attack. It doesn’t sound like any flaws in WordPress have been reported.

    • bubazoo (213 comments.) says:

      thats what I was just thinking.. there are several DOS attacks that can be done over SHELL access, but I’ve never believed that disabling SSH access to the server is the answer either, I think thats the lazy way out. Like he said, the answer is to put up a good firewall..

      but unfortunately, what happens alot of times, Web Hosting Providers DON’T do their part, so your forced to deal with this exploit yourself in some way. I mean, not everybody can afford their own server, with root access, and all that other great stuff, some of us are “forced” to deal with a shared account on a webhost that unfortunately doesn’t do their part, making it even more of a pain to switch providers, so therefore, in some situations, some kind of fix has to be implemented for hosts who don’t wish to comply… ya know what I’m saying? otherwise there are going to be alot of complaints.

      • jalder says:

        Ehh, I disagree with your attitude, you are “forced” to use crappy services because you can’t afford good services? If a company doesn’t do their part, don’t give them your business. If you can’t afford good services/products, that is a personal problem. If your client hosts on a crappy provider and you are a web designer, again not your problem.

        Regardless, I use configserver security and firewall (csf/lfd), it gets the job done.

  6. Tadd Mencer (2 comments.) says:

    I use WP Firewall on a lot of my sites and that helps a TON. It’s in the repository if anyone wants to use that :)

  7. Dave (9 comments.) says:

    It looks like the ticket has maybe been re-opened?
    Anyway, WordPress problem or not this seems easy to fix:
    1) make it dead easy (or default) to use google for search like everyone wants anyway (honestly as good as they are who thinks the WordPress devs can write a better search than _google_)
    2) typical DOS protection… only allow x searches in y minutes per IP, whitelist searches (maybe only allow for searches of dictionary words), or why not just say once server load goes above X searching is disabled?

    This could all be put in a plugin… if I was smart enough I would write one.

  8. bubazoo (213 comments.) says:

    and btw, how do you get anyone to answer you in either the WordPress or wordpress-dev IRC channels? Every time I go over there, nobody answers, for hours nobody answers except only to questions they feel like answering… Its worse in the forums, they treat you like your “google handicapped” just because you ask a question, even if its a question you can’t find on google, they “assume” every question ever thought of can be found on google, so most of the people in the IRC chat and the forums, treat you with nothing but short sarcasm. Ya guys have to remember that not all of us are wordpress nerds. Some of us, like ME for instance, have been using wordpress since the 1.0 days, but still don’t know the inner workings of it, not all of us are born to be PHP guru’s ya know, and some of us, like me, are blind and do need more one-on-one assistance, for speech software only tells us so much..

    • Dave Doolin (25 comments.) says:

      bub, think of it this way: these irc channels are like a private cocktail party where everyone on there knows everyone else for years. They become self-contained.

      Most of the people on them learned everything “the hard way.” That is, they wrote code and figured it out for themselves.

      If you are serious about participating, lurk for a while to catch the spirit of the community. Then when someone new shows up with a question, you answer that question fast, but make sure your answer is accurate. If it’s wrong, that’s worse than not answering.

      These guidelines go for usenet, forums, irc… and private cocktail parties!

      Remember, you can always start your own channel.

      • Developer Overseas says:

        So you’re saying if I’m at a cocktail party and I put a lampshade on my head and idle up to everybody and ask dumb questions, nobody will talk to me??

        For the WordPress Forums, they too have a rhythm and certain times of the day are better than others (about 20:00-23:00GMT appears like when most of my queries are answered).

        What is the irc equivalent of a lampshade?!

    • Jeff Chandler (171 comments.) says:

      I understand where you’re coming from. I too in the early days noticed the same type of atmosphere. Not from ALL members inside the channel but from a select few. Generally everyone knows everyone else inside that channel which is some of the reason behind the sarcasm and such. However, I’ve had good success in the WordPress IRC channel in the afternoons and evenings EST and in the evenings within the WordPress-Dev channel.

      Try not to take everything everyone says in the IRC channel seriously. When I hang out in IRC, I wait for the easy questions and try to help out as best I can. If I’m wrong, I learn why but it’s better than having a question just sit in the channel with no answer.

  9. Dave (9 comments.) says:

    Bubazoo – it’s tough because developers like to code, not do tech support (Tech support is a hard, frustrating, thankless job) – that being said there’s no excuse for not being nice.
    That’s why it’s so great that sites like this (and mine if I can plug myself) are around… there are plenty of knowledgeable Wordpres users out there who are more than happy to do tech support for free. The community is a big part of why I use WordPress.

  10. Viper007Bond (91 comments.) says:

    Wait, so tons of traffic all at once will take down a site? Thanks for reporting this. ;)

    In all seriousness though, that’s all the “exploit” is — hammering the site with random requests. You can take down literally pretty much any database powered site by requesting random URLs. would take down your site for example. If Google didn’t have enough servers, would take them down too.

    I find it fairly irresponsible to write fear mongering posts such as this one. Yes, you ended with “No reason to be alarmed”, but all anyone sees is the big orange title.

    • Mark (386 comments.) says:

      Don’t you think it is a little sensationalist on your part to publicly call us out as fear mongers when it is relatively obvious that we mean well and are trying to be as careful as possible with sensitive information?

      • Viper007Bond (91 comments.) says:

        I don’t debate that you mean well. :)

        My personal opinion though is that you’re reporting on what is basically a non-issue. Your headline makes it sound like there’s some unique-to-WordPress exploit that’s been found that’s going around taking down sites when infact it’s something that has existed since the Internet was invented — too much traffic over a short period of time, especially to a URL that requires a fair amount of server resources to generate, will overload a server and make it unresponsive. This is no different in any way then say the Digg effect.

        Basically you’re scaring people when they have nothing to worry about. I also think it’s perpetuating WordPress’ reputation for having a higher than average number of security issues, something that I strongly disagree with.

        But perhaps it’s just me (it really could be). :)

        • Jeff Chandler (171 comments.) says:

          The title of the post is clearly in line with the topic at hand. There is a published article explaining how to do a DOS attack on a WordPress website which the article clearly is in reference to. As for fear mongering, I clearly state that the issue is not related to WordPress itself and is nothing to worry about. You can’t make me responsible for people not reading the entire article.

          I also decided to write this and publish it because many people are asking about it. Instead of everyone questioning whether this is something to take seriously or not, I put it out there for the public to see instead of hearing it from a back channel.

          • Viper007Bond (91 comments.) says:

            Fair enough. I guess I should be more frustrated with the author of the silly original article than with you, Jeff. :)

    • Viper007Bond (91 comments.) says:

      By the way, it was not my intention to sound like a dick. After re-reading my original, I realize I may have come off sounding like one, especially due to the sarcasm.

  11. Neto (1 comments.) says:

    “No reason to be alarmed” ?!!!!!!
    Right now, I have a blog of mine under attack.
    I think that disable the search function is the best thing to do. I’ll leave this job to Google.

    Thanks for the alert !

  12. tricky says:

    well, that’s why Forums (vbulletin) can restrict how often you use the search function.

    • Viper007Bond (91 comments.) says:

      Such a restriction in WordPress would only stop abuse of the search feature. There’s plenty of other URLs that one could call that would arguably cause MORE server load than search results would. ;)


  1. […] WordPress Search Based DOS Attack […]

  2. […] search is resource-intensive operation by itself, which might stress budget hosting and was reported as vulnerability to denial of service attacks. […]

  3. […] WordPress Search Based DOS Attack […]

Obviously Powered by WordPress. © 2003-2013

page counter