Remove XMLRPC Pingback Ping
Prevent your WordPress install from participating in pingback denial of service attacks.
From sucuri.net:
Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.
Read the FooPlugin's post Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet
Learn More
- How To Prevent WordPress From Participating In Pingback Denial of Service Attacks - wptavern.com
- More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack - sucuri.net
- xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My! - hackguard.com
Is Your Site Attacking Others?
Use Sucuri's WordPress DDOS Scanner to check if your site is DDOS’ing other websites
Why Not Just Disable XMLRPC Altogether?
Yes, you can choose to do that using the plugin Disable XML-RPC, but if you use popular plugins like JetPack (that use XMLRPC) then those plugins will stop working 100%. That is why this small plugin exists.
How To Test Your Site?
You can easily test your site to see if you are open to this vulnerability. Follow these steps and replace http://YOUR-SITE-URL.com
with the URL of your site:
-
Install the Chrome extension PostMan
-
As your request URL, enter
http://YOUR-SITE-URL.com/xmlrpc.php
-
Make sure you are doing a
POST
-
Set your request body to be
RAW
with the following content:<methodCall> <methodName>pingback.ping</methodName> <params> <param><value><string>http://YOUR-SITE-URL.com</string></value></param> <param><value><string>http://YOUR-SITE-URL.com/hello-world/</string></value></param> </params> </methodCall>
-
Make sure the second param is a valid blog post URL that exists in your WordPress site
-
Send the request!
If you get back a response saying the pingback from http://YOUR-SITE-URL.com
to http://YOUR-SITE-URL.com/hello-world/
was registered, then your site is wide open. Here is a screenshot of POSTMAN:
After activating this plugin, sending through the same request as above should result in an error response from the website server error. requested method pingback.ping does not exist.
, as seen in this screenshot:
Disclaimer
I did not write this code. I just put it together in a plugin so more people can easily install and use it. Original code from wptavern.com and sucuri.net in the links above.