How To Prevent WordPress From Participating In Pingback Denial of Service Attacks

SucuriLogoSecurity research firm Sucuri is reporting more than 162,000 WordPress sites were used in a distributed denial of service attack. Compromised machines or websites are generally used to facilitate these types of attacks but in this case, clean WordPress sites were used via XML-RPC.

XML-RPC is used in WordPress as an API for third-party clients such as WordPress mobile apps, popular weblog clients like Windows Writer and popular plugins such as Jetpack. XML-RPC is used for pingbacks and trackbacks which are a good thing but can be heavily misused to start DDoS attacks.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.

One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.

To see if your site was misused, Sucuri has a DDoS scanner available. Enter your domain into the field provided and the scanner will try to locate it within their log files. If the domain doesn’t show up, you know the site wasn’t used to attack others. Thankfully, WPTavern was not used to attack any other websites.

WPTavern Was Not Used To Attack Other Sites
WPTavern Was Not Used To Attack Other Sites

Not As Easy As Turning Off XML-RPC

Unfortunately, disabling XML-RPC presents more problems than solutions. Jetpack uses it to authenticate with and then uses it after the fact to communicate with the Jetpack powered site. It would also disable the ability to use any of the WordPress mobile apps to communicate with the site.

Automattic employee Alex Shiels, responded in the comments of the article that they’ve identified the source of the pingbacks, and are looking to see if the Akismet plugin can help to prevent it. He also mentioned on Twitter the security team is working on a solution.

How To Disable Only Pingbacks

While Sucuri has a code snippet you can add to turn off only the pingback functionality of XML-RPC, I was told it will severely effect WordPress sites running on PHP 5.2 due to using an anonymous function. The following code snippet will work correctly without any adverse effects. It disables pingbacks while allowing things like Jetpack and WordPress mobile apps to function normally. Add the code to your theme’s functions.php file.

add_filter( ‘xmlrpc_methods’, ‘remove_xmlrpc_pingback_ping’ );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods[‘’] );
return $methods;
} ;

Is It Time For Pingbacks and Trackbacks To Go?

WPTavern is no stranger to denial of service attacks due to pingbacks and trackbacks. In 2010, I explained how WPTavern was trackbacked to death. Shortly after the website came back online, I disabled both as I feared they might end up taking the site down again. A few years have gone by and I’ve re-enabled pingbacks and trackbacks with no ill effects. However, I wonder if it’s time to kill them once and for all, not just on WPTavern but in WordPress in general.


20 responses to “How To Prevent WordPress From Participating In Pingback Denial of Service Attacks”

  1. PB and TB were fun when there were 1,000 WP blogs globally and it helped finding out each others, and before there were so many spam blogs auto-syndicating content. I for one killed them years ago. They are things from the past.

  2. Jeff, I’m a user not a coder – but is this the reason loads of wordpress users have been unable to access other * sites since Tuesday? And also the reason why my dashboard has finally come back into full dispaly and functionality?

  3. Instead of using the provided code, can’t you just remove the check in the box for pingbacks and trackbacks in the Settings/Discussion? This is what I did but am I missing something as I use JetPack? Would like to hear what your opinion-use the code or the unchecked box

  4. Hello, I have to dissent with some of the recommendations. The only one I can agree, is the fact that possibly now is time for XML RPC to say good bye to WP.


    XML RPC is only needed in a number of scenarios, and since this attack is being drived from any kind of WP websites, big and small ones, there are lots of cases where XML RPC is absolutely no needed. i.e.: when you use WP to build a site with a set of webpages, with no posts, or even no RSS, nor updates. Also when you won’t allow people to make comments, or if the comments are managed by Facebook/Disqus/JetPack/whatever and you won’t want to see pingbacks/trackbacks.

    I disabled the feature using the Disable XML-RPC plugin in a lot of websites (23) and can confirm that no damage has been done to JetPack Stats, nor the publishing to social networks have been effected. Also, I use plugins that retrieve a bunch of remote things, like InfiniteWP to remotely manage sites, Shareaholic and nRelate for Related Content and sharing, and no difference have been noticed.

    And please note, I didn’t experienced auth problems with JetPack.

    The only reason to keep XML RPC enabled is if you use to publish remotely to your site via third party apps. And that’s probably the way 10% of sites are using worldwide.

    Probably XML RPC should come disabled by default and have a wp-config switch to enable it only when you really need it.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.