Security Alert: Potential Abuse of LiteSpeed Cache's Crawler to Target External Hosts
How to Run a DDoS Attack with LiteSpeed Cache Plugin for WordPress - No Coding Required
Did you know that you can abuse the LiteSpeed Cache Plugin crawler for a DDoS attack?
In the realm of web performance optimization, caching plugins like LiteSpeed Cache are indispensable tools. They enhance website loading times and reduce server load. But what happens when such technology harbors a serious security vulnerability? This post sheds light on a critical flaw in the LiteSpeed Cache Plugin for WordPress that, if exploited, could potentially lead to attacks on external hosts.
LiteSpeed Cache Plugin: An Overview
The LiteSpeed Cache Plugin for WordPress is a powerful tool used to make websites faster and optimize server performance. One of its useful features is the built-in crawler, which warms up the cache by automatically loading the pages listed in a sitemap. This function is crucial for websites with dynamic content to ensure that users always see the fastest possible version of the page.
The numerous crawler settings allow variable settings to adapt the crawling speed to the performance of the respective server. However, this actually well-intentioned function offers at least 1 of 2 conditions that allow the built-in crawler of the LiteSpeed Cache plugin to be abused by anyone without any programming knowledge.
The Vulnerability in Detail
Actually, the two vulnerabilities described below are not vulnerabilities, because it is not the crawler or the cache plugin that is vulnerable. In fact, the LiteSpeed cache plugin with the built-in crawler provides an easy-to-use tool that can be abused for a DDoS attack.
Vulnerability 1
The "Threads" setting allows you to determine the number of (almost) simultaneous requests. This setting not only determines the speed of crawling, but also the load caused by the number of threads. If you run the crawler on the origin host, which is what the built-in crawler is actually intended for, this setting is essential. But the thread setting has no limit, so any value can be set. If you want to carry out a DDoS attack with the built-in crawler, this thread setting offers the ideal conditions for doing so.
Although the built-in crawler contains many errors, this crawler has a special function through multi-threading that allows URL requests to be executed not serially, but an infinite number of simultaneous requests. As advantageous as multi-threading is for cache warmup, this function can also be abused, by everyone.
Vulnerability 2
The LiteSpeed built-in crawler of the Cache plugin for WordPress uses the sitemap available for SEO purposes. The crucial vulnerability that LiteSpeed ignores is that any sitemap can be tricked into being used by the crawler and the URLs contained in the sitemap are not checked to see whether the domain name in the URL corresponds to the origin host. Even the layman quickly realizes that this crawler can be easily abused without limiting the number of threads and without checking the URLs in the sitemap. The not very intelligent crawler of the LiteSpeed Cache plugin stubbornly crawls the URLs from every sitemap, which creates the ideal conditions for a DDoS attack.
Even if your intentions are less malicious than a DDoS attack, it is no less malicious to penetrate a competitor's server so that this server is no longer available or only available to a limited extent. Especially since the competitor provides the sitemap required for this attack unlimitedly and free of charge.
Known Vulnerabilities powered by LiteSpeed
The vulnerabilities described are neither new nor secret. LiteSpeed has known about these well-known vulnerabilities since the first day the cache plugin was available. Therefore, with minimal changes to the plugin code, it would be possible to limit abuse to such an extent that not everyone without programming knowledge can abuse the crawler.
The real danger of the vulnerabilities therefore does not come from the fact that you can program a crawler yourself with a few lines of PHP code in order to abuse it. The real danger comes from the fact that LiteSpeed provides every user with the necessary tool for abuse free of charge and without any special knowledge.
LiteSpeed has a general problem with the security of all LiteSpeed crawlers. The LiteSpeed Cache Plugin for WordPress is the best-known cache plugin, but LiteSpeed also provides other cache plugins for other CMS and almost every one of these cache plugins contains a crawler for cache warmup. And all crawlers have the same problem, so thanks to open source it is possible to further tune these crawlers for abuse.
Protection against LiteSpeed Crawler Vulnerabilities
Can you protect yourself against abuse through the LiteSpeed crawler's vulnerabilities? Yes, but with major restrictions.
If you don't have a firewall or at least ModSecurity, the built-in crawler must be blocked via .htaccess. Insert the following code into the .htaccess file in the WordPress root directory, but outside the LiteSpeed markers. This code blocks access from the built-in crawler, but not your own built-in crawler. Therefore, replace the IP address with the IP address of the origin host.
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{HTTP_USER_AGENT} "lscache_runner|lscache_walker" [NC]
RewriteRule .* - [F,L]
It should be noted that this protection only works as long as the code of the built-in crawler has not been modified, which is very easy to do thanks to open source.
Crawler Vulnerabilities that LiteSpeed cannot fix
You should actually expect that every vulnerability can be fixed. In the specific case of the LiteSpeed built-in crawler, however, this applies to a very limited extent. LiteSpeed could prevent abuse with little effort, but the LiteSpeed cache plugin is open source, like WordPress itself. This means that not only can a possible protection mechanism be easily circumvented, but the crawler code can even be tuned by adding well-known cURL parameters, so that blocking the built-in crawler is almost impossible.
The only effective solution would be to run the crawler as an application independent of the cache plugin, where the code can be encrypted, making it impossible to hack the code. Given that LiteSpeed has only limited human resources and the LiteSpeed cache plugin is programmed by external freelancers, there is little prospect that LiteSpeed will provide a secure and abuse-free crawler for cache warmup.
The One-and-Only Cache Warmup Crawler not only for WordPress
Kitt - The Cache Crawler. Fast, Safe and Lightweight
- Made for LiteSpeed Cache Plugin and WordPress
- 3-times faster as built-in Crawler
- Requires 50% fewer Server Resources
- Abuse Protection
- Dynamic Server Load Control
- Crawls up to 200,000 URLs within 1 hour
- Cache Vary Support for Guest Mode, Webp Replacement and Mobile View
- Innovative Re-cache to warmup only changed or newly added Posts and Pages
- Multi-Threading Process Mode
- and much more....
More useful Posts
- The Great Deception: Why Google PageSpeed Doesn’t Measure Speed
- WordPress - Optimization for Nothing and the Speed (Not) for free
- Why does CloudFlare APO conflict with LiteSpeed LScache?
- How to speedup LiteSpeed Cache Plugin with avif instead of webp Images
- How to enable LiteSpeed Cache Plugin Crawler for WordPress if it is disabled in LiteSpeed Server
- Do CloudFlare and quic.cloud really speed up the loading time?
- LiteSpeed Guestmode – An Optimization Feature That Misleads WordPress Users?
- WordPress - Why Performance Doesn't Start With Optimization
- WordPress: Do Optimization Plugins really optimize?
- Cloudflare, quic.cloud and All Other CDNs Kill LiteSpeed Speed Feature
- How to Warmup the Cache of quic.cloud or CloudFlare CDN Nodes - Part I
- How to Warmup the Cache of CloudFlare CDN - Part II
- LiteCache Rush - The Unique Selling Point to make a WordPress Agency successful. (really)