There is a DoS vulnerability in all WP installations. It is hidden in the load-scripts.php and load-styles.php files. Their purpose is to combine scripts and styles in the administration to load the admin faster.
You can ask them to combine a huge amount of files, the result will be a huge load and it may kill your webserver.
There is an unofficial patch or you can limit the size of requests for load scripts:
For Apache
RewriteCond %{REQUEST_URI} ^/+wp-admin/+load-(scripts|styles)\.php$ | |
RewriteCond %{QUERY_STRING} load\[\]=(.{800,})$ | |
RewriteRule ^(.*)$ – [F,L] |
For Nginx
#block load-scripts|styles.php requests with long argument list | |
#CVE-2018-6389 impact mitigation | |
if ($request_uri ~* "^/+wp-admin/+load-(scripts|styles)\.php\?.{800,}$"){ | |
return 403; | |
} |
Question is: Do you still need it in the age of HTTP/2?