Prevent your WordPress install from participating in pingback denial of service attacks.
From sucuri.net:
Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.
Read the FooPlugin's post Beware : Your Site Is Part of a WordPress Pingback DDoS Botnet
- How To Prevent WordPress From Participating In Pingback Denial of Service Attacks - wptavern.com
- More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack - sucuri.net
- xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My! - hackguard.com
Use Sucuri's WordPress DDOS Scanner to check if your site is DDOS’ing other websites
Yes, you can choose to do that using the plugin Disable XML-RPC, but if you use popular plugins like JetPack (that use XMLRPC) then those plugins will stop working 100%. That is why this small plugin exists.
You can easily test your site to see if you are open to this vulnerability. Follow these steps and replace http://YOUR-SITE-URL.com with the URL of your site:
-
Install the Chrome extension PostMan
-
As your request URL, enter
http://YOUR-SITE-URL.com/xmlrpc.php -
Make sure you are doing a
POST -
Set your request body to be
RAWwith the following content:<methodCall> <methodName>pingback.ping</methodName> <params> <param><value><string>http://YOUR-SITE-URL.com</string></value></param> <param><value><string>http://YOUR-SITE-URL.com/hello-world/</string></value></param> </params> </methodCall> -
Make sure the second param is a valid blog post URL that exists in your WordPress site
-
Send the request!
If you get back a response saying the pingback from http://YOUR-SITE-URL.com to http://YOUR-SITE-URL.com/hello-world/ was registered, then your site is wide open. Here is a screenshot of POSTMAN:
After activating this plugin, sending through the same request as above should result in an error response from the website server error. requested method pingback.ping does not exist., as seen in this screenshot:
I did not write this code. I just put it together in a plugin so more people can easily install and use it. Original code from wptavern.com and sucuri.net in the links above.