You can remotely publish articles using a tablet, a smartphone, or Windows Live Writer thanks to WordPress’ fantastic XML-RPC tool. When you leave XML-RPC enabled on your WordPress blog, there is, however, a risk. Recently, using xml-rpc on one of my WordPress blogs, an attacker transmitted some spam traffic to several domains. Because it was an outdated WordPress version (on an abandoned domain), even the xml-rpc may have been vulnerable to an attack. The xml-rpc in the most recent WordPress version, however, concerns me as to its security. If you ever want to disable xml-rpc on WordPress, there are three ways to do it.
99% of pingbacks are spam. By sending a pingback notification and collecting link juice from the targeted website because pingbacks are usually shown as regular comments, spammers will try to construct a linkback to their content. Furthermore, by abusing the XML-RPC pingback features, distributed denial of service assaults may be made easier (DDoS). By taking advantage of reliable blogs and websites, this vulnerability may persuade them to voluntarily participate in DDoS attacks against particular websites.
How does Pingback DDoS operate?
In order to launch a DDoS attack against a target system, a malicious hacker sends a large number of innocent WordPress blogs that have enabled pingbacks specially crafted pingback instructions, deceiving them into believing the originator is the target system. By sending a deluge of answers, the bloggers will unwittingly deliver erroneous traffic to the target system.
If you stop pingbacks, DDoS assaults against your blog are no longer possible.Actually, you should just disable some of the supported XML-RPC functionality. If you don’t, you can experience issues with certain of your plugins, like JetPack, which rely on XML-RPC to communicate with distant servers.
Method 1: using onboard means
The simplest fix is to uncheck the item in WordPress’ settings. Under Settings->Discussion, uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks)”. Select “Save Changes” after that.
This will only block pingbacks (and trackbacks) for upcoming posts and pages; it won’t have an impact on the present posts and pages. In order to disable additionally for the already-existing posts and pages, you must run a few SQL queries. You can utilise the phpMyAdmin tool for this. Simply look for the phpMyAdmin tool in your web hosting account’s CPanel control panel. Once there, locate the database for the blog and select the SQL tab. then type the subsequent commands:
[UPDATE wp_posts SET ping_status=’closed’
WHERE post_status = ‘publish’ AND post_type = ‘post’;
UPDATE wp_posts SET ping_status=’closed’
WHERE post_status = ‘publish’ AND post_type = ‘page’;]
To find out which database is used by your blog follow these steps:
- Connect to your hosting account with an FTP client, for example, WinSCP;
- Navigate to your site’s root directory, usually public_html;
- Locate and open to view wp-config.phpfile;
- Within this file locate the string DB_NAME; it should bring you to a declaration like this: define(‘DB_NAME’, ‘pref_wp239’); The second parameter is the name of the database.
Method 2: Using Plugins
One of the simplest of them that does exactly what it says is disable-xml-rpc-pingback. This free plugin disables only the pingback part of XML-RPC API.
Just go to Plugins->Add New and enter “disable xml rpc pingback” in the search box. Then install “Disable XML-RPC Pingback” by Samuel Aguilera. When done, you have to activate it.
Method 3: A little coding
ust go to Appearance->Editor, then choose functions.php and add this code at the end:
[// disable pingbacks
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );]
Don’t forget to click on “Update File” when finished.
