WordPress has a vulnerability that enables malicious hackers to commit a DOS attack against WordPress websites.
According to the vulnerability DB ( https://wpvulndb.com/vulnerabilities/9021 ) all recent versions of WordPress are vulnerable. (version 4.9.4 and below)
WordPress has not yet released a patch but if you are running the nginx web server there is a mitigation that can be put in place to prevent this DOS occurring.
The nginx script required to fix this issue is found below.
# https://wpvulndb.com/vulnerabilities/9021
location ~* ^/wp-admin/load-scripts\.php$ {
if ( $query_string ~* "^.{1024,}$" ) {
return 444;
}
}
The same script should also be put in place for load-styles.php
The source of these scripts is given below. Be aware there is a link in the original script to a hacking blog. Click on it or visit it at your own risk.
https://gist.github.com/dustyfresh/d75d557d8212cc1dba51b3552ca4442e
There is also bash script which can be run to patch your WordPress. Again use it at your own risk. The script forces the pages to ensure you are logged in before they can be accessed. At present they are accessible by anonymous users – allowing them to be abused.
https://github.com/Quitten/WordPress/blob/master/wp-dos-patch.sh
