Back to website Login
There was a problem loading the comments.

How to Disable WordPress Pingback to Prevent Pingback Brute Force and DDoS Attacks?

Support Portal  »  Knowledgebase  »  Viewing Article
  Print

What Is a Pingback in WordPress?

Pingback is a feature in WordPress that notifies other websites when you link to their content and vice versa. This notification is sent through an XML-RPC request, which attempts to verify the link source.

While this feature can promote backlinks and engagement, it can also be exploited to perform large-scale DDoS (Distributed Denial-of-Service) and brute force attacks.

Why Disable Pingbacks?

Attackers can exploit the XML-RPC pingback functionality to:

  • Launch DDoS attacks by using your site to send pingback requests to a target server

  • Perform brute-force attacks using the wp.getUsersBlogs method to guess admin credentials

  • Avoid detection, since XML-RPC attacks often bypass traditional wp-login monitoring

Disabling pingbacks reduces your attack surface and prevents your site from becoming a tool in an attack against others.

How Pingback Attacks Work

  1. A WordPress website has XML-RPC and pingbacks enabled.

  2. An attacker sends a forged pingback request to the site using XML-RPC.

  3. The site unknowingly participates in attacking a third-party server via HTTP requests.

  4. The process is multiplied across thousands of compromised sites, creating a large-scale DDoS.

How to Disable WordPress Pingbacks

You can disable pingbacks in a few different ways:

Option 1: Use a Plugin (Recommended for Beginners)

Install a plugin like Disable XML-RPC Pingback or Stop XML-RPC Attack to block pingback features.

Steps:

  1. Log in to your WordPress admin dashboard.

  2. Go to Plugins > Add New.

  3. Search for Disable XML-RPC Pingback.

  4. Click Install Now and then Activate.

These plugins prevent your site from responding to malicious XML-RPC pingback requests without disabling other XML-RPC features you may still need.

Option 2: Disable XML-RPC Completely

If you don't use any XML-RPC functionality (such as remote publishing or mobile apps), disable it entirely.

Add the following code to your theme’s functions.php file or a site-specific plugin:

add_filter( 'xmlrpc_enabled', '__return_false' );

This disables XML-RPC for the entire site, closing off that attack vector completely.

Option 3: Block XML-RPC via .htaccess (Apache Servers Only)

If your server runs Apache, you can block access to the xmlrpc.php file directly.

Add this to your .htaccess file:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Note: Only use this if you're sure you don’t need XML-RPC for any legitimate use.

Share via
Did you find this article useful?  

Related Articles

Categories

Tags

© Softsys Hosting