25 Jul 2005: Attack profile for WordPress sites
Scott Buchanan explains one of the mechanisms by which WordPress sites are attacked by trackback spammers (circa March 2005):
The spam ‘bot will iteratively request “
index.php?p=[n],” where n is incremented each time. After each successful request, it will then send a trackback to “wp-trackback.php” for entry number n.
To remedy this, Scott wrote a TB Spam Blocker plugin (downloadable from the link above) which patches this particular hole. From the plugin’s included readme.txt:
This plugin will modify the WordPress permalink generator to include a mod_rewrite rule that blocks direct access to wp-trackback.php. (It still allows redirected access through cruft-free URLs. Legitimate trackbacks will use the redirected URL, as that will be what appears on your blog.)
A simple fix, though as soon as the spam bots are updated to use the cruft-free trackback URLs (by crawling the site), this solution will stop working.
