WordPress pingback attack

A problem with the WordPress pingback function has been found. This problem makes it posible to use the sidte for a DDOS attack on other WordPress sites.

If you do not use the pingback function there is multible ways to disable it.

  • You can go to settings and uncheck “Allow link notifications from other blogs”, this will not remove the pingback from existing post, so you have to edit the existing posts manualy.
  • Rename the xmlrpc.php file in the root of the WordPress installation.
  • Add this to your function.php file:

    add_filter( ‘xmlrpc_methods’, function( $methods ) {
    unset( $methods[‘pingback.ping’] );
    return $methods;
    } );

    This will disable pingback on all posts.

You can read more information on the pingback problem here.


June 8th, 2014