How to mitigate load-scripts.php DoS attack in WordPress

Updated on September 6, 2023

If you are running WordPress on your website then you should follow this article to prevent a DoS attack in WordPress because of the load-scripts.php file which concatenates JS files on the fly. Barak Tawily in his blog post clearly explains the WordPress vulnerability to DoS attack which is through load-scripts.php. WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. The load-scripts.php file which is a feature of WordPress does not require any authentication, which allows malicious intent users to ask for all JS files present in a WordPress installation. This creates a huge file that will cause some load on your server, and if requested often enough, will block your server from doing anything else.

What makes it WordPress load-scripts.php vulnerable?

Basically, force load-scripts.php can call all possible JavaScript files at once by adding these file names to a URL. The consequence is website slowdowns due to excessive processor cycles and server memory consumption.

The load-scripts.php URL looks like below. The load-scripts.php file works by selectively calling essential JavaScript files by passing their names into the “load” parameter. When the website is loading, this script attempts to find all JavaScript file names given in the URL, append content into a single file and then send back it to the user’s browser. The load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server doesn’t respond at all anymore or returns 502/503/504 status code errors. Genuine users will be denied to access resources or carry out the actions they need.

https://techglimpse.com/wp/wp-admin/load-scripts.php?c=1&load=%20eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter

How to mitigate load-scripts.php DoS attack in WordPress?

Step 1: Disable the concatenation of JS and CSS files by adding the below-provided code in wp-config.php file:

define( 'CONCATENATE_SCRIPTS', false );

Step 2: As we don’t have any use for the load-scripts.php file anymore, block it

For Nginx:

Add a location configuration directive to Nginx under server config to disallow all access to them:

location ~ \/wp-admin\/load-(scripts|styles).php { 
   deny all; 
}

For Apache:

Add the below configuration directive in your .htaccess file:

<FilesMatch "load-scripts\.php|load-styles\.php">
    Order Deny,Allow
    Deny from all
</Files>

Step 3: Restart Nginx webserver

# systemctl restart nginx

That’s all needed. You’ve overcome a possible DoS attack on your website.

Was this article helpful?

Related Articles

Leave a Comment