How To Prevent WordPress From Participating In Pingback Denial of Service Attacks

SucuriLogoSecurity research firm Sucuri is reporting more than 162,000 WordPress sites were used in a distributed denial of service attack. Compromised machines or websites are generally used to facilitate these types of attacks but in this case, clean WordPress sites were used via XML-RPC.

XML-RPC is used in WordPress as an API for third-party clients such as WordPress mobile apps, popular weblog clients like Windows Writer and popular plugins such as Jetpack. XML-RPC is used for pingbacks and trackbacks which are a good thing but can be heavily misused to start DDoS attacks.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.

One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.

To see if your site was misused, Sucuri has a DDoS scanner available. Enter your domain into the field provided and the scanner will try to locate it within their log files. If the domain doesn’t show up, you know the site wasn’t used to attack others. Thankfully, WPTavern was not used to attack any other websites.

WPTavern Was Not Used To Attack Other Sites
WPTavern Was Not Used To Attack Other Sites

Not As Easy As Turning Off XML-RPC

Unfortunately, disabling XML-RPC presents more problems than solutions. Jetpack uses it to authenticate with WordPress.com and then uses it after the fact to communicate with the Jetpack powered site. It would also disable the ability to use any of the WordPress mobile apps to communicate with the site.

Automattic employee Alex Shiels, responded in the comments of the article that they’ve identified the source of the pingbacks, and are looking to see if the Akismet plugin can help to prevent it. He also mentioned on Twitter the security team is working on a solution.

How To Disable Only Pingbacks

While Sucuri has a code snippet you can add to turn off only the pingback functionality of XML-RPC, I was told it will severely effect WordPress sites running on PHP 5.2 due to using an anonymous function. The following code snippet will work correctly without any adverse effects. It disables pingbacks while allowing things like Jetpack and WordPress mobile apps to function normally. Add the code to your theme’s functions.php file.

add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} ;

Is It Time For Pingbacks and Trackbacks To Go?

WPTavern is no stranger to denial of service attacks due to pingbacks and trackbacks. In 2010, I explained how WPTavern was trackbacked to death. Shortly after the website came back online, I disabled both as I feared they might end up taking the site down again. A few years have gone by and I’ve re-enabled pingbacks and trackbacks with no ill effects. However, I wonder if it’s time to kill them once and for all, not just on WPTavern but in WordPress in general.

20 Comments


  1. I liked the old solution where XML-RPC was disabled by default and users had an option to turn it on as needed.

    Would be curious to know what percentage of WordPress users actually use the WordPress mobile app.

    Report


  2. PB and TB were fun when there were 1,000 WP blogs globally and it helped finding out each others, and before there were so many spam blogs auto-syndicating content. I for one killed them years ago. They are things from the past.

    Report


    1. I know you killed them a long time ago, I linked to your article when I wrote about the Tavern being Trackbacked to death :) I think I’ve reached the point where I’m just going to disable them once and for all. Less things to moderate :P

      Report


  3. Hello Jeff, brackets look like a little unbalanced. Maybe line no.5 must be not
    } );
    but
    };

    ???

    Report


  4. Jeff, I’m a user not a coder – but is this the reason loads of wordpress users have been unable to access other *.wordpress.com sites since Tuesday? And also the reason why my wordpress.org dashboard has finally come back into full dispaly and functionality?

    Report


  5. Instead of using the provided code, can’t you just remove the check in the box for pingbacks and trackbacks in the Settings/Discussion? This is what I did but am I missing something as I use JetPack? Would like to hear what your opinion-use the code or the unchecked box

    Report


    1. I had to double check to make sure but if you turn off trackbacks/pingbacs from the Settings page, only posts/pages created from that point on will have them disabled. You’ll need to run a database query to turn them off for all existing postspages. WP Beginner explains what to do in this post http://www.wpbeginner.com/wp-tutorials/how-to-disable-trackbacks-and-pings-on-existing-wordpress-posts/

      Just make sure you backup your site first before messing with the database.

      Report


  6. Hello, I have to dissent with some of the recommendations. The only one I can agree, is the fact that possibly now is time for XML RPC to say good bye to WP.

    JETPACK STATS AND COMMENTS ARENT DAMAGED IF YOU DISABLE XML RPC.

    XML RPC is only needed in a number of scenarios, and since this attack is being drived from any kind of WP websites, big and small ones, there are lots of cases where XML RPC is absolutely no needed. i.e.: when you use WP to build a site with a set of webpages, with no posts, or even no RSS, nor updates. Also when you won’t allow people to make comments, or if the comments are managed by Facebook/Disqus/JetPack/whatever and you won’t want to see pingbacks/trackbacks.

    I disabled the feature using the Disable XML-RPC plugin in a lot of websites (23) and can confirm that no damage has been done to JetPack Stats, nor the publishing to social networks have been effected. Also, I use plugins that retrieve a bunch of remote things, like InfiniteWP to remotely manage sites, Shareaholic and nRelate for Related Content and sharing, and no difference have been noticed.

    And please note, I didn’t experienced auth problems with JetPack.

    The only reason to keep XML RPC enabled is if you use to publish remotely to your site via third party apps. And that’s probably the way 10% of sites are using worldwide.

    Probably XML RPC should come disabled by default and have a wp-config switch to enable it only when you really need it.

    Report


  7. Thank you for the insight Marcelo. I too have installed “Disable XML-RPC” on about 120 wordpress sites and till this time have experienced no difficulty. Thank you.

    Report


  8. I think it’s time just to remove pingbacks from core. I can’t remember the last time I left it turned on.

    Report



  9. Does it help at all if you delete the xmlrpc php file? I read that somewhere once ages ago.

    Report


    1. Hello Christine, that’s not a good idea since it may break another WP functionality. You can always deactivate XML RPC using a plugin or a hook in the functions.php file. By far, if you dont want to mess with PHP, the best and simpler approach is installing Disable XML RPC plugin:
      https://wordpress.org/plugins/disable-xml-rpc/

      Report


  10. So does this still apply in 2014 after 3.9.2 patch? Because I’m getting hammered to the point the datacenter is calling me and telling me to get rekt’d

    Also, why not create a drop-in plugin?

    Report


  11. yeah, its here again. 3.9.2 is evil.

    Report

Comments are closed.