DDoS on WordPress using the search feature

This fairly low tech DDoS can easily take down an under resourced WordPress website, what you will see in your logs is something like:

/?s=SwCGbtyTPFbgIy 19:02:40
/?s=rNiwiuFckGegR 19:02:49
/?s=SwCGbtyTPFbgIy 19:02:53
/?s=SwCGbtyTPFbgIy 19:02:56
/?s=SwCGbtyTPFbgIy 19:03:01
/?s=mYwyTaXVqvlW 19:03:12
/?s=SwCGbtyTPFbgIy 19:03:18
/?s=mYwyTaXVqvlW 19:03:22
/?s=rNiwiuFckGegR 19:03:22
/?s=mYwyTaXVqvlW 19:03:32

Sometimes you will see different HTTP User-Agents in each of the requests, also normally you’ll see the requests coming from multiple IP addresses.

ddos_on_searchWhat’s causing the damage here is the /?s= after which will be followed by some garbage text (as above) or a couple of random words, triggering a database lookup which uses more server resource than any other visitor request, the attacker doesn’t need to be using a browser, this can easily be scripted, and there are automated tools which will launch these search attacks, limiting the number of visits as coming from each IP so as not to trigger most firewalls also randomising the search request so there is less chance it would be found in a cache which would not have the same disruptive effect.

This has been a vulnerability in WordPress for over five years, and while I understand the WordPress developers are not able to stop the search feature being abused, surprisingly they have provided no way to disable the public side search function in the admin settings.

If you want to continue offering the search feature as is, but it is being abused, you will need to use a firewall such as CloudProxy to enforce JavaScript in a browser using the Emergency DDoS Protection or CloudFlare’s delayed access “I’m Under Attack” protection (also using JavaScript).

If you can live without the WordPress search feature, and I suspect most sites can, as many templates don’t even have a search button, meaning the search feature would never be used by a legitimate user anyway, you can use a plugin such as “Disable Search” to remove that function. Or you can hack it out yourself by adding :

function fb_filter_query( $query, $error = true ) {

if ( is_search() ) {
$query->is_search = false;
$query->query_vars[s] = false;
$query->query[s] = false;
// to error
if ( $error == true )
$query->is_404 = true;

add_action( 'parse_query', 'fb_filter_query' );
add_filter( 'get_search_form', create_function( '$a', "return null;" ) );

to the theme’s functions.php file.

Note: if you set $error to be true, then the user will be redirected to your 404 page (theme’s 404.php must exist). If you set it as false, then the user stays at the page where they tried to run the search.
(script borrowed from WPBeginner.com)

Of course if your template has some search button, that would need to be separately removed in the css. Of course, removing the button alone is not enough.To remove the search button in Twenty Fourteen, this theme add this to your .css:

.search-toggle { display: none; }

Another mitigation might be to disable WordPress’s default search feature and enable something like the WP Google Search plugin and widget which leverage Google’s search engines to serve your site.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.