Last week, we wrote about a report published by Sucuri that explained how 162,000 clean WordPress sites were used in a DDoS attack through the pingback functionality of XML-RPC. Alex Shiels who works on Akismet mentioned on Twitter the security team was working on a solution.
An update to Akismet is now available containing bug fixes, security, and anti-spam improvements. Notably:
- Include X-Pingback-Forwarded-For header in outbound WordPress pingback verifications.
- Add a pre-check for pingbacks, to stop spam before an outbound verification request is made.
According to Shiels, anti-spam checks were performed after a pingback was verified and WordPress didn’t pass on who made the request that caused it to verify a pingback effectively cloaking the true source. Shiels also stated the fixes applied to Akismet may find their way into the core of WordPress in a future update: “We think a similar approach may be appropriate for core in a future release.”
How To Disable Pingbacks On Content Already Published
While the security improvements in Akismet will have the widest impact, I still maintain that trackbacks and pingbacks have lost their luster. You can easily stop pingbacks in the Settings – Discussion area but to remove them from content already published involves using a MySQL query. Thankfully, there’s a plugin that bypasses the need to use the query called Auto-Close Comments, Pingbacks and Trackbacks by Ajay.
Auto-close gives users flexibility in determining which posts and pages ping/trackbacks will be disabled. There’s no option to disable them on every post or page. However, I was able to shut them off on most of my content by closing ping/trackbacks on posts older than one day. If you have a lot of content already published, you’ll want to use the built-in scheduler to avoid using too many resources on the server.
The plugin works as advertised and is the only one I could find that has the ability to turn trackback and pingbacks off in bulk without using a database query.
Thanks for featuring my plugin on the Tavern! Am also thinking of adding an option to disable pings using the code published on the sucuri post. Again, it’s all optional and a user would need to manually select if they want to disable this.