There is a DoS vulnerability in all WP installations. It is hidden in the load-scripts.php and load-styles.php files. Their purpose is to combine scripts and styles in the administration to load the admin faster.
You can ask them to combine a huge amount of files, the result will be a huge load and it may kill your webserver.
There is an unofficial patch or you can limit the size of requests for load scripts:
For Apache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteCond %{REQUEST_URI} ^/+wp-admin/+load-(scripts|styles)\.php$ | |
| RewriteCond %{QUERY_STRING} load\[\]=(.{800,})$ | |
| RewriteRule ^(.*)$ – [F,L] |
For Nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #block load-scripts|styles.php requests with long argument list | |
| #CVE-2018-6389 impact mitigation | |
| if ($request_uri ~* "^/+wp-admin/+load-(scripts|styles)\.php\?.{800,}$"){ | |
| return 403; | |
| } |
Question is: Do you still need it in the age of HTTP/2?
Vladimir Smitka 