WordPress DDoS Attack Flaw Security CVE-2018-6389 – Fixes

WordPress DDoS Attack Flaw Security CVE-2018-6389 – Fixes

Simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

What is DDoS Attacks ?

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.

Flaw Security CVE-2018-6389

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

wordpress dos attack

Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like in the following URL:


While loading the website, the ‘load-scripts.php’ (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user’s web browser.

How WordPress DoS Attack Works


According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user,” Tawily says.

Although a single request would not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.

The Hacker News has verified the authenticity of the DoS exploit that successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

“It is time to mention again that load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.

However, attack from a single machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power and memory.


But that doesn’t mean the flaw is not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets and bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit this flaw to target big and popular WordPress websites as well.

Knowing that DoS vulnerabilities are out-of-scope from the WordPress bug bounty program, Tawily responsibly reported this DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying that this kind of bug “should really get mitigated at the server end or network level rather than the application level,” which is outside of WordPress’s control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers and making them unavailable for their legitimate users.

Vulnerability Fixes

Here are a few tips to secure your WordPress website against these vulnerabilities

1. Find a Secure Hosting Provider

Always find a WebHosting provider that can afford services offering DDoS protection against application-layer attacks.
If your WordPress is running at one of Skytells Servers, So Skytells’s Managed WordPress Services are protected from DDoS attacks.
And if you’re looking for a secured WordPress Hosting, Check out our plans for WordPress – And Why you should choose us!

2. Install Skytells Guard Plugin

The Skytells Guard Plugin is one of the World’s most advanced All-in-one security plugins for WordPress.

You can get this plugin for free by clicking here.

The Skytells Guard plugin will take your website security to a whole new level, This plugin is designed and written by experts and is easy to use and understand, It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.


3. Skytells Guard – Anti-DDoS

The Anti-DDoS Attack is a feature provided by Skytells Guard Plugin for WordPress!

If you’ve installed Skytells Guard, Turn on Skytells Firewall first, then Anti-DDoS Option,
Skytells security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This way you can apply the firewall rules progressively without breaking your site’s functionality.
Skytells Guard allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.

Now from Skytells Guard’s control panel, go to Firewall settings and Activate DDoS Protection option to activate Anti-DDoS Attack!

2nd, From the Advanced Firewall Rules, Make sure to set DDoS Protection options to the following values

Now Save Skytells Guard’s Firewall Settings and prepare your self for the next step,

4. A Little Customization

Now you need grant more protection against HTTP requests before it hits the wordpress itself, so we need to make some changes to .htaccess file,
So, Now connect to your website using the FTP and find .htaccess file and open it and add the following lines

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

Place this after RewriteBase / or RewriteEgine On if you don’t have it. Attacker will get 403 error instead of jointed scripts.

Skytells recommends to use this pre-ready .htaccess file :

RewriteEngine on

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress


5. Always Keep-in-eye on Your Website!

At Skytells we believes that Cyber security should not be based on fear, but on data and having a measurable effect,

In an ideal world your WordPress site is already completely secure.  In order for that to be true in, there are a few factors that need to be in place.

  1. Never and Never use an unknown plugin
  2. Scan every single plugin before install it on your site.
  3. Always use an AI-Powered Scanner like Skytells AV provided by Skytells Guard
  4. Do NOT use a low-end web hosting provider because 90% of these providers are using a shared kernel for their customers
  5. Always update your WordPress and Plugins


Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date, Skytells Guard is strongly recommended to protect your WordPress against common attacks.


Related Posts