WordPress has become the most popular CMS, continuously increasing its market share. But the downside is that WordPress's popularity encourages hackers to find new methods to exploit WordPress websites. For example, WordPress XML-RPC exploit was recently used to launch distributed denial-of-service (DDoS) and brute-force attacks against WordPress websites.
WordPress uses an XML-RPC interface, allowing users to post to a WordPress website through popular Weblog clients. WordPress supports the Blogger API, MetaWeblog API, Movable Type API, and Pingback API. WordPress plugins can further extend this functionality. WordPress XML-RPC also allows attackers to exploit WordPress websites so that exploited WordPress websites can be used as a platform to launch attacks through pingback exploits.
What is Pingback, and How Does it Work?
Pingback is a built-in linkback functionality that can be used to receive a notification when someone links to your blog posts. When you enable the pingback in your WordPress website and post content that links to another website, an XML-RPC request is sent to another website which will automatically pingback to the source website to verify whether the incoming link is live or not.
The process works like this:
- We published a post on our blog.
- You publish a post on your blog with a link to one of our blogs.
- Your blogging platform will automatically send us a pingback.
- Our blogging platform will receive the pingback.
It will automatically go to your blog to verify that the link is present there.
- Now, we can display your pingback as a comment on our blog.
This will be a link to your website.
Why should we disable pingbacks?
A WordPress website with Pingback enabled can be used in DDOS attacks against other websites. An attacker can exploit pingback functionality through simple commands and an XML-RPC request. Thus, thousands of legitimate WordPress websites can be exploited to launch a large-scale DDoS attack.
Nowadays, attackers use XML-RPC vulnerabilities and XML-RPC wp.getUsersBlogs function to generate large-scale brute force attacks against WordPress sites. WordPress XML-RPC requires a username and password, so attackers are now using a method like wp.getUsersBlogs to guess many passwords and possibly gain access to WordPress admin accounts. Rather than conducting brute force on awp-admin page, attackers have begun to utilize XML-RPC, the fastest method to generate brute force and harder to detect.
How to secure your WordPress website against DDoS/Brute-Force attacks?
WordPress version 3.9.2 was released with a fix that reduced the impact of some DDoS attacks, but if pingback and XML-RPC are still enabled in your WordPress website, your websites can be exploited.
To protect your WordPress website against such attacks, disable pingback and XML-RPC.
How to disable WordPress Pingback?
To disable Pingback on your WordPress website, follow these steps:
- Log in to your WordPress dashboard.
- Go to Settings >> Discussion.
- Under "Default article settings," uncheck the box next to "Allow link notifications from other blogs (pingbacks and trackbacks) on new posts."
- Click the "Save Changes" button.
That's it! This will disable pingbacks on your WordPress site for all future posts.
How to disable XML-RPC?
There are two methods for disabling XML-RPC from WordPress.
Method 1: Disable XML-RPC manually
Add the code to your .htaccess file to disable XML-RPC from the WordPress website.
Edit the site's .htaccess file and add the following code:
Block WordPress xmlrpc.php requests
deny from all
Click on Save to save your changes, and this code disables XML-RPC.
Method 2: Disable XML-RPC with the help of a plugin
If you are unfamiliar with coding, you can also do it using a plugin. Just follow the below steps:
- Login to your WordPress dashboard
- Navigate to Plugin>> Add New
- Search in the search bar Disable XML-RPC Pingback.
- Install and Activate the Plugin. This Plugin will automatically insert the necessary code that turns off XML-RPC.
(Note: some plugins still utilize parts of XML-RPC, and disabling this completely may result in cause with disabling some aspects of your site no longer working or plugin conflict.)
As a result, you have disabled XML-RPC access and added an extra layer of security to your WordPress site.