Celebrate Our 22nd Anniversary with Huge Savings! Up to 70% Off

  Categories

Affiliate Questions
37
Billing & Accounts
48
Client Area Tutorials
37
Cloud Hosting
27
Control Panels
772
Database Server
116
Dedicated Servers
11
Form Downloads
5
Mail Servers Tutorials
223
Miscellaneous Articles
236
Pre-Sales Questions
612
Video Tutorials
1
VPS Hosting
678
Web Hosting
181
Web Services
112
Website Migration
9
WordPress Hosting
211

  Categories

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

How to Disable WordPress Pingback to Prevent Pingback Brute Force and DDoS Attacks?

Print

WordPress has become the most popular CMS, continuously increasing its market share. But the downside is that WordPress's popularity encourages hackers to find new methods to exploit WordPress websites. For example, WordPress XML-RPC exploit was recently used to launch distributed denial-of-service (DDoS) and brute-force attacks against WordPress websites. 

WordPress uses an XML-RPC interface, allowing users to post to a WordPress website through popular Weblog clients. WordPress supports the Blogger APIMetaWeblog APIMovable Type API, and Pingback API. WordPress plugins can further extend this functionality. WordPress XML-RPC also allows attackers to exploit WordPress websites so that exploited WordPress websites can be used as a platform to launch attacks through pingback exploits.

What is Pingback, and How Does it Work?

Pingback is a built-in linkback functionality that can be used to receive a notification when someone links to your blog posts. When you enable the pingback in your WordPress website and post content that links to another website, an XML-RPC request is sent to another website which will automatically pingback to the source website to verify whether the incoming link is live or not. 

The process works like this:

  • We published a post on our blog.
  • You publish a post on your blog with a link to one of our blogs.
  • Your blogging platform will automatically send us a pingback.
  • Our blogging platform will receive the pingback.
    It will automatically go to your blog to verify that the link is present there.
  • Now, we can display your pingback as a comment on our blog.
    This will be a link to your website.

Why should we disable pingbacks?

A WordPress website with Pingback enabled can be used in DDOS attacks against other websites. An attacker can exploit pingback functionality through simple commands and an XML-RPC request. Thus, thousands of legitimate WordPress websites can be exploited to launch a large-scale DDoS attack.

Nowadays, attackers use XML-RPC vulnerabilities and XML-RPC wp.getUsersBlogs function to generate large-scale brute force attacks against WordPress sites. WordPress XML-RPC requires a username and password, so attackers are now using a method like wp.getUsersBlogs to guess many passwords and possibly gain access to WordPress admin accounts. Rather than conducting brute force on awp-admin page, attackers have begun to utilize XML-RPC, the fastest method to generate brute force and harder to detect.

How to secure your WordPress website against DDoS/Brute-Force attacks?

WordPress version 3.9.2 was released with a fix that reduced the impact of some DDoS attacks, but if pingback and XML-RPC are still enabled in your WordPress website, your websites can be exploited. 

To protect your WordPress website against such attacks, disable pingback and XML-RPC.

How to disable WordPress Pingback?

To disable Pingback on your WordPress website, follow these steps:

  • Log in to your WordPress dashboard.
  • Go to Settings >> Discussion.
  • Under "Default article settings," uncheck the box next to "Allow link notifications from other blogs (pingbacks and trackbacks) on new posts."

  • Click the "Save Changes" button.

That's it! This will disable pingbacks on your WordPress site for all future posts.

How to disable XML-RPC?

There are two methods for disabling XML-RPC from WordPress.

Method 1: Disable XML-RPC manually

Add the code to your .htaccess file to disable XML-RPC from the WordPress website.

Edit the site's .htaccess file and add the following code:

Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny.allow
deny from all
</Files>

Click on Save to save your changes, and this code disables XML-RPC.

Method 2: Disable XML-RPC with the help of a plugin

If you are unfamiliar with coding, you can also do it using a plugin. Just follow the below steps:

  • Login to your WordPress dashboard
  • Navigate to Plugin>> Add New
  • Search in the search bar Disable XML-RPC Pingback.
  • Install and Activate the Plugin. This Plugin will automatically insert the necessary code that turns off XML-RPC.

(Note: some plugins still utilize parts of XML-RPC, and disabling this completely may result in cause with disabling some aspects of your site no longer working or plugin conflict.)

As a result, you have disabled XML-RPC access and added an extra layer of security to your WordPress site.

Was this answer helpful?

Related Articles

How to Upload a WordPress Theme? Sometimes you must upload and install a WordPress theme manually, especially when using a... How to Install WordPress via WP-CLI on Almalinux? What is WP-CLI? WP-CLI (WordPress Command Line Interface) is a command-line tool for WordPress... How to resolve WordPress error faced while removing a plugin - Deletion failed: There has been a critical error on this website. When attempting to delete a WordPress plugin, you might encounter the following error message and... How to Install Theme in WordPress Website? Before we show you how you can install the theme on your WordPress website, let us first... How to Make a WordPress Website Search Engine-Friendly? You can make your WordPress blog SEO-friendly by configuring the URL structure with permalinks....
« Back

Copyright © 2003-2025 AccuWebHosting.com USA | Designed By: AccuWebTech.Com

chat