1. I liked the old solution where XML-RPC was disabled by default and users had an option to turn it on as needed.

    Would be curious to know what percentage of WordPress users actually use the WordPress mobile app.

  2. PB and TB were fun when there were 1,000 WP blogs globally and it helped finding out each others, and before there were so many spam blogs auto-syndicating content. I for one killed them years ago. They are things from the past.

    1. I know you killed them a long time ago, I linked to your article when I wrote about the Tavern being Trackbacked to death :) I think I’ve reached the point where I’m just going to disable them once and for all. Less things to moderate :P

  3. Hello Jeff, brackets look like a little unbalanced. Maybe line no.5 must be not
    } );


  4. Jemima Pett

    Jeff, I’m a user not a coder – but is this the reason loads of wordpress users have been unable to access other *.wordpress.com sites since Tuesday? And also the reason why my wordpress.org dashboard has finally come back into full dispaly and functionality?

  5. John Adams

    Instead of using the provided code, can’t you just remove the check in the box for pingbacks and trackbacks in the Settings/Discussion? This is what I did but am I missing something as I use JetPack? Would like to hear what your opinion-use the code or the unchecked box

    1. I had to double check to make sure but if you turn off trackbacks/pingbacs from the Settings page, only posts/pages created from that point on will have them disabled. You’ll need to run a database query to turn them off for all existing postspages. WP Beginner explains what to do in this post http://www.wpbeginner.com/wp-tutorials/how-to-disable-trackbacks-and-pings-on-existing-wordpress-posts/

      Just make sure you backup your site first before messing with the database.

  6. Hello, I have to dissent with some of the recommendations. The only one I can agree, is the fact that possibly now is time for XML RPC to say good bye to WP.


    XML RPC is only needed in a number of scenarios, and since this attack is being drived from any kind of WP websites, big and small ones, there are lots of cases where XML RPC is absolutely no needed. i.e.: when you use WP to build a site with a set of webpages, with no posts, or even no RSS, nor updates. Also when you won’t allow people to make comments, or if the comments are managed by Facebook/Disqus/JetPack/whatever and you won’t want to see pingbacks/trackbacks.

    I disabled the feature using the Disable XML-RPC plugin in a lot of websites (23) and can confirm that no damage has been done to JetPack Stats, nor the publishing to social networks have been effected. Also, I use plugins that retrieve a bunch of remote things, like InfiniteWP to remotely manage sites, Shareaholic and nRelate for Related Content and sharing, and no difference have been noticed.

    And please note, I didn’t experienced auth problems with JetPack.

    The only reason to keep XML RPC enabled is if you use to publish remotely to your site via third party apps. And that’s probably the way 10% of sites are using worldwide.

    Probably XML RPC should come disabled by default and have a wp-config switch to enable it only when you really need it.

  7. Thank you for the insight Marcelo. I too have installed “Disable XML-RPC” on about 120 wordpress sites and till this time have experienced no difficulty. Thank you.

  8. I think it’s time just to remove pingbacks from core. I can’t remember the last time I left it turned on.

  9. Does it help at all if you delete the xmlrpc php file? I read that somewhere once ages ago.

    1. Hello Christine, that’s not a good idea since it may break another WP functionality. You can always deactivate XML RPC using a plugin or a hook in the functions.php file. By far, if you dont want to mess with PHP, the best and simpler approach is installing Disable XML RPC plugin:

  10. r109

    So does this still apply in 2014 after 3.9.2 patch? Because I’m getting hammered to the point the datacenter is calling me and telling me to get rekt’d

    Also, why not create a drop-in plugin?

  11. jaska

    yeah, its here again. 3.9.2 is evil.

Comments are closed.