1. Syed Balkhi

    I liked the old solution where XML-RPC was disabled by default and users had an option to turn it on as needed.

    Would be curious to know what percentage of WordPress users actually use the WordPress mobile app.


  2. Ozh

    PB and TB were fun when there were 1,000 WP blogs globally and it helped finding out each others, and before there were so many spam blogs auto-syndicating content. I for one killed them years ago. They are things from the past.


    • Jeff Chandler

      I know you killed them a long time ago, I linked to your article when I wrote about the Tavern being Trackbacked to death :) I think I’ve reached the point where I’m just going to disable them once and for all. Less things to moderate :P


  3. Valeriy

    Hello Jeff, brackets look like a little unbalanced. Maybe line no.5 must be not
    } );



  4. Jemima Pett

    Jeff, I’m a user not a coder – but is this the reason loads of wordpress users have been unable to access other *.wordpress.com sites since Tuesday? And also the reason why my wordpress.org dashboard has finally come back into full dispaly and functionality?


  5. John Adams

    Instead of using the provided code, can’t you just remove the check in the box for pingbacks and trackbacks in the Settings/Discussion? This is what I did but am I missing something as I use JetPack? Would like to hear what your opinion-use the code or the unchecked box


  6. Jim Walker

    Yes, ended up writing an article about this last week, which gives some general instructions on how to reduce the impact of the latest attacks, “xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!,” http://hackguard.com/xmlrpc-php-ping-backs-hackers-denial-service-attacks


  7. Marcelo Pedra

    Hello, I have to dissent with some of the recommendations. The only one I can agree, is the fact that possibly now is time for XML RPC to say good bye to WP.


    XML RPC is only needed in a number of scenarios, and since this attack is being drived from any kind of WP websites, big and small ones, there are lots of cases where XML RPC is absolutely no needed. i.e.: when you use WP to build a site with a set of webpages, with no posts, or even no RSS, nor updates. Also when you won’t allow people to make comments, or if the comments are managed by Facebook/Disqus/JetPack/whatever and you won’t want to see pingbacks/trackbacks.

    I disabled the feature using the Disable XML-RPC plugin in a lot of websites (23) and can confirm that no damage has been done to JetPack Stats, nor the publishing to social networks have been effected. Also, I use plugins that retrieve a bunch of remote things, like InfiniteWP to remotely manage sites, Shareaholic and nRelate for Related Content and sharing, and no difference have been noticed.

    And please note, I didn’t experienced auth problems with JetPack.

    The only reason to keep XML RPC enabled is if you use to publish remotely to your site via third party apps. And that’s probably the way 10% of sites are using worldwide.

    Probably XML RPC should come disabled by default and have a wp-config switch to enable it only when you really need it.


  8. AMADO

    Thank you for the insight Marcelo. I too have installed “Disable XML-RPC” on about 120 wordpress sites and till this time have experienced no difficulty. Thank you.


  9. karks88

    I think it’s time just to remove pingbacks from core. I can’t remember the last time I left it turned on.


  10. WPWeekly Episode 141 – One Million WordCamps In Ohio

    […] Beta Testers, Start Your Engines: 3.9 Beta 1 Released How To Prevent WordPress From Participating In Pingback Denial of Service Attacks Take The 2014 bbPress Survey Aesop Story Engine Launches Commercial WordPress Themes Why Company […]


  11. Christine

    Does it help at all if you delete the xmlrpc php file? I read that somewhere once ages ago.


  12. r109

    So does this still apply in 2014 after 3.9.2 patch? Because I’m getting hammered to the point the datacenter is calling me and telling me to get rekt’d

    Also, why not create a drop-in plugin?


  13. jaska

    yeah, its here again. 3.9.2 is evil.


Comments are closed.

%d bloggers like this: