Not to sideline the main topic, but WordPress V4.9.4 will require a manual update, even for those whose versions have been set to auto-update because WordPress V4.9.3 accidentally disabled the auto-update function in WP (available since V3.7 four years ago). It will cause the auto-update function to fail. Several WP sites that I maintain just auto-updated to V4.9.3 a few days ago and now require manual intervention.

Important to know because many WP users have relied on the automatic updates for years now.

Yes, I meant to mention that, too. Thanks.

I see that a patch ( a bash script) was released today. The link is in the hackernews article.

I am hoping that a new WP version to address it will be available shortly as the majority of WP consumers won't have any idea about the problem or the fix even after reading the article.

Damn, just did the 4.9.3 update yesterday. WP needs to do better, as it is so prone to hacking. I usually wait a couple of days before pushing a patch, just in case they screwed it up.

Oh great, now I'll be seeing all those probes in my logs.

The wake up call is to do the manual update NOW. If you don't then auto-updates won't work and that's exactly the function you NEED TO WORK to have security updates load . . automatically.

This is a dos attack method. Worst case is you lose traffic. They are not breaking into your site, messing around with your data and database, replacing content with their crap. Also no cross site scripting risk. Still you should update. It is rare for Wordpress to publish this level of risk.

I use wordfence plugin (Free) and it seems to do a fantastic job keeping way most wp attackers. I would think this DDoS attack is easily stopped by its waf rules

You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.

TorontoBoy is right, the wordfence plugin protects WP from some kinds of attack, but plugins do not protect your server/host. DDOS is an attack on the server's resources.

You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.

Wordfence puts a WAF in your frontdoor essentially. The beauty of wordfence is that if a wordfence site is DDoS'd the signals are used to defend other wordfence sites and there are ways you could restrict/throttle connections by IP as well.. it's not the best WAF, but it can defend against this to some degree

Some caching systems probably replace this with their own custom filters as well

You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.

This is a DDoS attack by causing server load issues by re-loading JS components. It's not a remote ping, but a server load issue - more of a fork bomb but instead of forking from a shell, its causing your http server to strain. Wordfence can collect attack vectors and distribute blocks across its network for machines that seem to be the source of this attack.