WordPress Security: Hackers Can Get Your Origin IP and How to Stop It
Today, I found a vulnerability in WordPress. Hackers can exploit it to get your server’s original IP so they can launch a DDOS attack. Here’s how they can get it and how you can stop it.
Get Server’s Original IP Through User Registration
Step 1. Register An Account on Your WordPress Site
Go to one of the following URL to register an account:
yourdomain.com/wp-admin yourdomain.com/wp-login.php yourdomain.com/wp-login.php?action=register
Enter an username and email address. As the admin of your WordPress site, you will receive an email notification that a new user is registering an account on your site. At the same time, you site will send an email to the new user (hacker) to set a password.
Step 2. Open Original Email Message
Instead of setting a password, the hacker open the original email message or the source email message. In Gmail, open the email sent by WordPress and on the upper-right corner click the drop-down arrow and select show original.
In Mozilla Thunderbird, open the the email sent by WordPress. On the upper-right corner, click More button, and select View Source from the drop-down menu.
Here’s how the first few lines of original message or source message look like:
Return-Path: <[email protected]> Received:from yourdomain.com([220.127.116.11])<< This is your server's original IP !! by smtp.gmail.com with ESMTPSA id 388343daereqrefa.19.2016.01.05.21.32.31 for <[email protected]> (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 05 Jan 2016 21:32:33 -0800 (PST)
In the Received: from line the hacker can see your server’s original IP ! Even if your server use external SMTP server to send email, you server’s original IP still can be seen in the original email message.
X-Received: by 10.66.155.8 with SMTP id qrer3439005dfd.18.1452058439952; Tue, 05 Jan 2016 21:33:59 -0800 (PST) Return-Path: <[email protected]> Received:from yourdomain.com ([18.104.22.168]) << This is your server's original IP !! by smtp.external.com with ESMTPSA id rewre134373dfa.35.2016.01.05.21.33.57 for <[email protected]> (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 05 Jan 2016 21:33:59 -0800 (PST)
Why This is Bad for You?
If you use CDN service (You should), your server’s original IP is protected by CDN. When people lookup your server’s IP in DNS, they will get an IP pointed to a CDN node. If hacker launch DDOS attack against your domain, these bad DDOS traffic will go to CDN nodes deployed around the world by your CDN provider. Your original server will not receieve these bad DDOS requests.
But if hacker found your server’s original IP through email, they can launch the DDOS attack directly against your original IP. In a short amount of time, your server load spikes up and your bandwidth runs out. Legitimate visitors will see a Denial of Service message in their browser.
How to Stop it
This is simple, you can stop it by disabling user registration on your WordPress site. In the WordPress dashboard, go to Settings > General. Uncheck Anyone can register and save your changes.
The registration link on your site will disappear. So visitors can’t register on your site and your site will not send any email to hackers.
The Bottom Line
Your web server should send email only to yourself or the admin. You must set up your email server on another server.