Your blog has been hacked. Actually, maybe not. The Pingback Exploit.

This morning I got an email from a person named Sam Browne with the ominous subject line “Your blog has been hacked“. The email read as follows:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco. Your blog has been hacked, and is being used to attack other sites. The specific URL and IP address involved in attacks is in the list below.

Please scan your blog and clean it.

Complete information about this is at:

Now I get a lot of crazy emails from a lot of crazy people so my initial reaction was that this is another one destined for the spam pile. But at the bottom of the email was a list of about 50 sites that were supposedly hacked and looking through it I got curious. On the list, which included a site I managed years ago, I found URLs like,, and The chance of any of these sites being hacked and used to spam Mr. Browne is pretty close to zero so clearly there was something else going on here.

Browsing the responses to Sam’s Twitter stream it became clear that many of the people who had received the same email (apparently it was sent to thousands of email addresses) had done their due diligence by checking their sites for exploits only to find they were in fact not hacked. My guess is that if we were to check all the sites on the list we’d find very few sites with hacks on them. But the claim that the sites were attacking Mr. Browne’s site are still true!

Your WordPress site can be tricked

It is a poorly kept secret that with some simple code you can turn a WordPress site into a tool of evil. Hidden in WordPress core is a function called XML-RPC that allows users to send emails to WordPress and then get WordPress to do things like publish posts. The feature also powers pingbacks – essentially messages sent to other sites when they are being linked to –  and it is very useful if you want to use a 3rd party application to write posts or you want to email posts to your site. This function can unfortunately be exploited to make your site send requests to target sites, thus becoming an accomplice in a DDoS attack.

It is disturbingly simple: A few lines of code will trigger a cascade of requests to your WordPress site that then in turn send pingback requests to a specified site. Multiply that by a hundred or a thousand or a million sites like yours and you have a perfectly orchestrated DDoS attack executed by proxy through your and other sites. Which seems to be what happened to Mr. Browne. Again, not an attack but an exploit.

Based on the list of sites provided by Sam and my own observations of spam comments it seems clear that a large portion of the sites that are taking down Sam’s site are in fact not infected but instead vulnerable to the pingback exploit. In fact it appears any standard install WordPress site without Akismet activated is vulnerable to this exploit. Which is a serious problem.

Solutions, current and future

This exploit is well known by the developers that build WordPress and it is being worked on. However as of right now your WordPress site may become part of the problem unless you take a simple step to prevent it: Go to Settings -> Discussion and turn   off. Some are suggesting removing the XML-RPC feature all together by deleting it from the WordPress install. This is a terrible idea and should not be done. WordPress core is not something you should mess with and the XMLRPC function is used for more than just sending out pingbacks, most notably to allow a user to post to the site using email or 3rd party apps.

Moving forward it’s clear this needs to be addressed in WordPress core so new users do not inadvertently become bots. What exactly that something is is up for debate. Simply disabling XML-RPC is not a solution yet leaving it completely open is an equal non-starter. Bottom line is a push needs to be made to get core updated in some way to curb this problem going forward. WordPress powers 20% of the web and will continue to take over more of the space so these exploits will be exploited more and more if nothing is done.

WordPress Tips

Anatomy of a vague-baiting spam comment

Have you ever approved a friendly comment on your WordPress site only to be hit by a barrage of comment spam the next day? If so you were probably the victim of what I like to call vague-baiting. Let me explain:

At a recent meeting of the Vancouver WordPress Meetup Group someone asked about how to avoid getting so much comment spam on their WordPress site. The simple answer to that question is to install the Akismet plugin which should catch 98% or so of your spam and which learns and improves over time. But that’s not the whole answer.

You see, not all spam is created equal. Spammers know that you use tools like Akismet and other moderation systems to keep them at bay so they try their best to trick you into letting them past your blockades. They do this by submitting innocent looking comments like this:

Example of typical spam comment

What you see above is a typical spam comment as it came through on my site. Akismet didn’t flag it because it doesn’t have any of the tell-tale signs of being a spam comment, but it is spam nonetheless. This begs a rather obvious question:

Why all the trickery for a spam comment that has no value?

The purpose of spam is to drive your visitors to other sites that the spammer can earn money from. So why on earth would someone go to such lengths to post a spam comment with no nefarious links and a completely innocuous and pointless message? The answer lies in how WordPress and most other publishing systems work: A common way to avoid spammers is to simply set the site so that the first comment from a new email address is always held for moderation. Only commenters with an already approved comment can comment freely on the site. And Akismet also avoids flagging messages from approved commenters as spam. I think you can see where this is going.

To get around your moderation wall a comment that seems to be praising the site is submitted. Once that comment is approved however, a barrage of spam of the worst kind will hit the site. This vague-baiting aims to trick new or unwitting site owners into approving spammers as valid commenters on their sites. And I’m sad to say it works really well. So how do you identify vague-baiting? Follow me down the rabbit hole:

The Vaguest Comment Ever

The vague-baiting comment is easiest recognized by its insanely vague content. Reading the comment one could think it was written by a real reader, but upon closer inspection you realize this comment could be applied to pretty much any posting on any website about any subject. It is so vague its informational value is close to zero.

The typical content of these comments follows a standard formula: Vague praise of the author for writing a good post / argument / site followed by even vaguer reference to some of the content (usually of the form “your argument is great!”) and then some form of statement indicating that the commenter reads your site regularly / was referred by a friend who reads the site regularly / is going going to recommend other people read the site regularly / all of the above. Some of the comments also indicate that the commenter found the site through a Google search “on the subject”.

The Hyperlink to Nowhere

WordPress and most other publishing platforms ask the commenter to enter a URL to their site. If the commenter enters a URL to an objectionable site or one connected with other spam comments, the comment automatically gets flagged. So instead the vague-baiting comment will usually provide a garbage URL pointing nowhere or a URL to a dummy Facebook profile or similar social media profile as is the case in the grab above. This is done to give you the impression that this is a real person and that they just messed up their URL.

The Bizarre Email Address

A simple way of preventing the most blatant (and stupid) spam bots is to ask for an email address when a comment is posted. Because the vague-baiting spammer wants you to approve the comment and thereby the email address, it has to be a real one. However, they do this so much they use randomized email addresses. Usually you’ll see an email address with a rubbish prefix like ttp856956 followed by either hotmail, yahoo, gmail or some other public email service with a geo suffix in an unusual location, in this case Taiwan. This email suffix needs to be seen in context with the IP address as explained below.

The IP Address to Elsewhere

The final telltale sign of a vague-baiting comment is the IP address. The IP address is the address of the actual computer submitting the comment. In this case the IP address is located in Lima, Peru, not Taiwan as the email address suggests. This in itself could have a reasonable explanation – say the person from Taiwan was visiting Peru – but a quick Google search shows that this IP address shows up again and again as the originator of spam. In other words, case closed.

Avoid Spam by Being Logical

Based on what you’ve seen above, avoiding vague-baiting comments is pretty simple: Be logical. If you get a comment with an unnecessarily vague message, it is probably spam. The threshold for someone going through the trouble of leaving a comment is always pretty high, and no sane person is going to go through the trouble of leaving a super vague comment with no value on your site. And if the vagueness wasn’t enough of a red flag, take a look at the sender URL, email address and IP address and see if they all make sense. If they don’t you can hit the spam button safe in the knowledge that you averted a poorly disguised attack on your site.