A part of the standard WordPress package, Pingbacks allow remote blogs to notify your site when they have linked to your content. Unfortunately, hackers have found a way to exploit this in order to cause a Distributed Denial of Service (DDOS) attack against other websites and servers.
Unless you really understand what a pingback is, Conetix highly recommends that you disable pingbacks. This article guides you through the methods available to disable pingbacks.
Apache based block
- To prevent access to the xmlrpc.php file, the easiest way is to edit your .htaccess. You can do this via the Plesk File Manager or edit locally and FTP the file back to the server. Add the following:
# XMLRPC Pingback DDOS Prevention <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
- This will block all access to the XML-RPC for WordPress as soon as the file is saved.
- Login to your Conetix Control Panel or Plesk VPS. Within the WordPress Toolkit, click Check Security:
- Check “Turn off pingbacks” and click on Secure at the top of the page:
- Your WordPress site will now block pingback requests.
- Sucuri Blog: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
- Ars Technica: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/
- Akamai Blog: https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html