Table of Contents 6 sections
What Is Server-Side Request Forgery?
Server-Side Request Forgery, or SSRF, is a vulnerability that tricks your server into making an HTTP request to a destination the attacker chooses. Normally, when a site fetches a URL, it fetches a URL you control. In an SSRF attack, the attacker supplies the URL, and your server obediently requests it. Because the request now originates from inside your infrastructure, it can reach places a normal outside visitor never could.
Why SSRF Is So Dangerous
The power of SSRF comes from trust. Internal systems often assume that any request coming from the server itself is safe. An attacker who can steer your server's requests can abuse that trust to:
- Reach internal services such as databases, admin panels, and private APIs that are not exposed to the public internet.
- Read cloud metadata. On many cloud hosts, a special internal address returns credentials and configuration. Stealing these can hand an attacker your entire hosting account.
- Scan the internal network by watching how quickly different internal addresses respond.
- Bypass firewalls because the traffic looks like it comes from a trusted internal source.
Common SSRF Vectors in WordPress
Any feature that fetches a remote URL on the server side is a potential entry point:
- The pingback system. The XML-RPC pingback feature asks WordPress to fetch a URL the caller supplies. This has been abused for years to make sites request internal addresses and to launch reflected attacks against others.
- Link preview and oEmbed handlers that fetch and render remote content.
- Image import and thumbnail generators that download a remote image by URL.
- PDF and screenshot generators that render an arbitrary page.
- Webhook and third-party API integrations where the destination URL comes from user input.
A Simple Example
Imagine a plugin that generates a preview from any URL a user pastes in. An attacker enters the cloud metadata address instead of a normal web page:
http://169.254.169.254/latest/meta-data/iam/security-credentials/
The server dutifully fetches it and may return cloud credentials in the preview, handing the attacker keys to the hosting account. The same trick works against http://localhost and internal IP ranges to reach services that were never meant to be public.
How to Prevent SSRF
For Site Owners
- Disable XML-RPC pingbacks if you do not use them, closing the oldest SSRF vector in WordPress.
- Keep plugins updated, since SSRF flaws in URL-fetching plugins are patched regularly.
- Limit outbound access at the server or firewall level so the site cannot reach internal-only addresses.
- Audit plugins that fetch remote URLs and remove any you do not need.
For Developers
- Validate and allow-list destinations. Only fetch URLs that match an approved list of hosts.
- Block internal ranges. Reject requests to localhost, private IP ranges, and the cloud metadata address before making the request.
- Resolve then verify. Resolve the hostname to an IP and confirm it is public before connecting, to defeat DNS rebinding.
- Never pass raw user input to functions like
wp_remote_get()without validation.
How to Detect SSRF Exposure
Our WordPress Security Scanner checks for an exposed XML-RPC endpoint, active pingback support, and known vulnerable plugin versions that include SSRF flaws. Run a free scan to find out whether your server can be turned against you.
FAQ
Frequently Asked Questions
SSRF is a vulnerability where an attacker tricks a server into making HTTP requests to a destination the attacker chooses. Instead of the visitor's browser making the request, the server does, which lets the attacker reach internal systems that are not exposed to the public internet.
Because the request comes from your server, it can reach internal services, private APIs, and cloud metadata endpoints that trust internal traffic. On cloud hosting, SSRF against the metadata endpoint can leak credentials that grant control over your entire hosting account.
Any feature that fetches a remote URL is a candidate: link preview generators, image import and thumbnail tools, PDF generators, webhook and API integrations, oEmbed handling, and the built-in pingback system, which has a long history of SSRF abuse.
The XML-RPC pingback feature asks WordPress to fetch a URL you supply. Attackers abused this to make sites request internal or third-party addresses, enabling port scanning and reflected denial of service. Disabling XML-RPC or pingbacks removes this vector.
Keep plugins updated, disable XML-RPC pingbacks if unused, and for developers, validate and allow-list any URL the server fetches, block requests to internal IP ranges and the cloud metadata address, and never pass raw user input to functions that make outbound requests.
Tags
Related Posts
Zero-Day Plugin Exploits on WordPress: Attacks Before a Patch Exists
A zero-day plugin exploit attacks a flaw before the developer has a fix. Learn what makes them dangerous and how to reduce your exposure to the unknown.
Cryptojacking on WordPress: When Hackers Mine Cryptocurrency With Your Resources
Cryptojacking hijacks your server or your visitors' browsers to mine cryptocurrency. Learn how to spot the signs, clean the infection, and prevent it.
Card Skimming and Magecart on WordPress: How Attackers Steal Payment Data at Checkout
Card skimming injects invisible code into your checkout to steal customer payment details. Learn how Magecart-style attacks hit WooCommerce and how to stop them.