How to Disable WordPress Pingback to Prevent Pingback Brute Force and DDoS Attacks?

WordPress has become the most popular CMS and it continuously increases its market share. On the other hand, WordPress' popularity encourages hackers to find new methods to exploit WordPress websites. Recently, WordPress XML-RPC exploit was used to launch distributed denial-of-service (DDoS) and brute force attacks against WordPress websites

WordPress uses an XML-RPC interface which allows users to post to a WordPress website through popular Weblog clients. WordPress supports the Blogger API, MetaWeblog API, Movable Type API, and the Pingback API. This functionality can be further extended by WordPress plugins. WordPress XML-RPC also allows attackers to exploit WordPress website so that exploited WordPress websites can be used as a platform to launch attacks through pingback exploits.


What is Pingback and How it Works?

The Pingback is a built-in linkback functionality that can be used to receive notification when someone links to your blog posts. When you enable the pingback in your WordPress website and you post a content that links to another website, an XML-RPC request is sent to other website which will automatically pingback to the source website to verify whether the incoming link is live or not. The whole process will go like following:

  • We have published a post to our blog.
  • You publish a post on your blog with link to one of our blog.
  • Your blogging platform will automatically send us a pingback.
  • Our blogging platform will receive the pingback. Now, it will automatically go to your blog to verify that the link is present there.
  • Now, we can display your pingback as comment to our blog. This will be a link to your website.


Why should we disable pingbacks?

A WordPress website with Pingback enabled can be used in DDOS attacks against other websites. An attacker can exploit pingback functionality through simple command and an XML-RPC request. Thus, thousands of legitimate WordPress websites can be exploited to launch a large scale DDoS attack.

Nowadays, attackers are using XML-RPC vulnerabilities and XML-RPC wp.getUsersBlogs function to generate large-scale brute force attacks against WordPress sites. WordPress XML-RPC requires a username and password, so attackers are now using a method like wp.getUsersBlogs to guess big number of passwords and possibly gain access to WordPress admin accounts. Rather conducting brute-force on wp-admin page, attackers have now begun to utilize XML-RPC which is the fastest method to generate brute-force and harder to detect as well.

How to secure your WordPress website against DDoS/Brute-Force attacks?

WordPress version 3.9.2 was released with the fix that reduced the impact of some DDoS attacks, but, if pingback and XML-RPC are still enabled in your WordPress website, your websites can be exploited. To protect your WordPress website against such attacks, disable pingback and XML-RPC entirely. You can install XML-RPC Pingback WordPress plugin to disable the pingbacks in WordPress website.

  • 5 Users Found This Useful

Was this answer helpful?

Related Articles

How to upgrade WordPress Plugins?

Just updating WordPress core won't make your WordPress fully secure. Updating a plugin...

How to install WordPress

How to install WordPress This tutorial will show you how to install WordPress. For this...

How to Leverage Browser Caching of WordPress Website via .htaccess?

If you've ever checked your WordPress website in Performance Tools such as Google PageSpeed...

How to Migrate / Transfer WordPress Website from WordPress.com to AccuWeb Hosting?

To transfer your WordPress.com website to a self-hosted WordPress website, first you will need a...

How to Deactivate All Plugins Without Accessing WP-Admin?

While troubleshooting any WordPress issues, you are asked to deactivate all plugins and activate...