Pingback is a feature in WordPress that notifies other websites when you link to their content and vice versa. This notification is sent through an XML-RPC request, which attempts to verify the link source.
While this feature can promote backlinks and engagement, it can also be exploited to perform large-scale DDoS (Distributed Denial-of-Service) and brute force attacks.
Attackers can exploit the XML-RPC pingback functionality to:
Launch DDoS attacks by using your site to send pingback requests to a target server
Perform brute-force attacks using the wp.getUsersBlogs
method to guess admin credentials
Avoid detection, since XML-RPC attacks often bypass traditional wp-login monitoring
Disabling pingbacks reduces your attack surface and prevents your site from becoming a tool in an attack against others.
A WordPress website has XML-RPC and pingbacks enabled.
An attacker sends a forged pingback request to the site using XML-RPC.
The site unknowingly participates in attacking a third-party server via HTTP requests.
The process is multiplied across thousands of compromised sites, creating a large-scale DDoS.
You can disable pingbacks in a few different ways:
Install a plugin like Disable XML-RPC Pingback or Stop XML-RPC Attack to block pingback features.
Steps:
Log in to your WordPress admin dashboard.
Go to Plugins > Add New.
Search for Disable XML-RPC Pingback.
Click Install Now and then Activate.
These plugins prevent your site from responding to malicious XML-RPC pingback requests without disabling other XML-RPC features you may still need.
If you don't use any XML-RPC functionality (such as remote publishing or mobile apps), disable it entirely.
Add the following code to your theme’s functions.php
file or a site-specific plugin:
add_filter( 'xmlrpc_enabled', '__return_false' );
This disables XML-RPC for the entire site, closing off that attack vector completely.
If your server runs Apache, you can block access to the xmlrpc.php
file directly.
Add this to your .htaccess
file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Note: Only use this if you're sure you don’t need XML-RPC for any legitimate use.