Last week, we wrote about a report published by Sucuri that explained how 162,000 clean WordPress sites were used in a DDoS attack through the pingback functionality of XML-RPC. Alex Shiels who works on Akismet mentioned on Twitter the security team was working on a solution.
An update to Akismet is now available containing bug fixes, security, and anti-spam improvements. Notably:
- Include X-Pingback-Forwarded-For header in outbound WordPress pingback verifications.
- Add a pre-check for pingbacks, to stop spam before an outbound verification request is made.
According to Shiels, anti-spam checks were performed after a pingback was verified and WordPress didn’t pass on who made the request that caused it to verify a pingback effectively cloaking the true source. Shiels also stated the fixes applied to Akismet may find their way into the core of WordPress in a future update: “We think a similar approach may be appropriate for core in a future release.“
How To Disable Pingbacks On Content Already Published
While the security improvements in Akismet will have the widest impact, I still maintain that trackbacks and pingbacks have lost their luster. You can easily stop pingbacks in the Settings – Discussion area but to remove them from content already published involves using a MySQL query. Thankfully, there’s a plugin that bypasses the need to use the query called Auto-Close Comments, Pingbacks and Trackbacks by Ajay.
Auto-close gives users flexibility in determining which posts and pages ping/trackbacks will be disabled. There’s no option to disable them on every post or page. However, I was able to shut them off on most of my content by closing ping/trackbacks on posts older than one day. If you have a lot of content already published, you’ll want to use the built-in scheduler to avoid using too many resources on the server.
The plugin works as advertised and is the only one I could find that has the ability to turn trackback and pingbacks off in bulk without using a database query.