A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Walker Hosting was able to mitigate these attacks through mod_security. Therefore, it is NOT possible to exploit this on our shared hosting services. While there is an alternative for individuals who may not have their site hosted with Walker Hosting, it is not guaranteed success. The alternative is to modify the “/wp-admin” as a sub-directory which will free you against common WordPress admin scans