• Cheap & Best Hosting

How to prevent Pingback DDoS attacks to your WordPress

You already know what the Bruteforce attacks that recently swept WordPress. And you know what that means Pingback DDoS attack? In this article will present several gaps in WordPress, which performs the so-called. “Pingback DDoS” attack by xmlrpc.php. And in addition we offer 5 solutions that will effectively help you to protect yourself against this type of attacks!

What is xmlrpc.php and what this file in the folder of the installed WordPress?

WordPress uses the XML-RPC interface because it is implemented using a special feature in WordPress API (WordPress API). This function is used to synchronize with the initial API variations WP prefix. This support mainly serves for WordPress plugins. Feature is on by default in WordPress 3.5, as in previous versions is controlled by the user – can be powered down, as desired.

What is it used xmlrpc.php?

xmlrpc.php is mainly used for:

– Direct posts in your blog using TextMate, Flock and other customers

– Directly publish to your blog using Eudora, Thunderbird and other email applications

– Get pingbacks and trackbacks to your site from other blogs.

Generally each of the above options using the remote publication in WordPress, like most blogs primarily used XML-RPC protocol functionality for tracking and comparison.

What does that mean – security holes in WordPress allows malicious people to publish content of any type directly into your WordPress site.

And if xmlrpc.php a security risk?

Serious shortcomings in xmlrpc.php has affected more than 100 million websites around the world. Through this file, by using Pingback function (checking for update blog) is performed Pingback DDoS attack. Interesting about this vulnerability is that an attacker does not need to compromise the site. Exploit-a does not need to compile and run applications using the UNIX command line. So is caused by your domain to send http requests to the target as can be put thousands of queries in parallel, the equivalent of a small botnet with unlimited range of sources of IP addresses! Most sites can not withstand such attacks and several thousand of these requests. Moreover if the sites use more resources and perform multiple scripts.

Included in WordPress Pingback mechanism soon known for their security risk. First publication of this risk appears December 2012. It is after the information in this publication consumers start to perform port scanning through this mechanism. At that time, Bogdan Calin of Acunetix refers to the ability to perform DDoS attacks through Pingback mechanism, which is becoming more pressing issue.

An attempt was made ​​to remove falling vulnerability in WordPress version 3.5.1 by applying filters allowed URL addresses, it solves the problem of port scans and attacks SSRF. But ‘functionality of the mechanism Pingback leave the space as vulnerability unsolved even after the update to version 3.5.2.

What are the possible solutions?

1) Always watch for updates on WordPress and if the application informs you of the new version, h adalzhitelno update application.

2) Remove xmlrpc.php – if you are not using any of the above features of the file, this is one of the safest ways to eliminate potential security vulnerability. If you do not need remote publishing or constant monitoring to update the information another successful option is to rename the file with a simple command: mv xmlrpc.phpsome_name or by using an FTP client or File Manager.

3) Add a filter in the file functions.php – another option for termination of the pingback mechanism e add the following lines to functions.php:

functionremove_x_pingback ($ headers) {

unset ($ headers [‘X-Pingback’]);

return $ headers;


add_filter (‘wp_headers’, ‘remove_x_pingback’);

Or by removing links to xmlrpc.php and wlwmanifest.xml through a filter in the same file:

functionremoveHeadLinks () {

remove_action (‘wp_head’, ‘rsd_links ;);

remove_ction (‘wp_head’, ‘wlwmanifest_link’);


Add_action (‘init’, ‘removeHeadLinks’);

This will prevent these two files to be connected to the upper, but the files themselves are available.

If you use this method, do check on off remote publication.


4) Remove the abuse by scanning through directories xmlrpc.php file.

To avoid scanning directories  vulnerability to File, you can use option which adds a directive. Htaccess


RedirectMatch 301 / (. *) / Xmlrpc \. Php http://domain.tld/xmlrpc.php


5) Restrict access to xmrpc.php, as the file remains available.

Another option to restrict access to the file through the Directive. Htaccess:


RedirectMatch 403 / (. *) / Xmlrpc \. Php $


Be sure to protect your WordPress website or blog by “Pingback DDoS” attack!

Domain Search