A WordPress pingback vulnerability has been reported that could put your site's security at risk for a distributed denial-of-service attack (DDoS) attack.
Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.
A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.
Which version of WordPress is affected?
While reading through comments on Bogdan's article, it seems that even WordPress 3.5 is at risk. So it looks like all versions.
guly
actually in my overnight tests i found that a blog post where trackbacks are disabled isn’t vulnerable. disabling it worked as a fix for my test installation, of course YMMV.Bogdan Calin
That’s not my experience. In my case it worked even if trackbacks were disabled. I’ve tested on WordPress 3.5.Source: http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/#comment-33097
How do you protect your WordPress blog from this pingback vulnerability?
According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your pingbacks and trackbacks from your WordPress Dashboard as follows:
UPDATE: 12/29/2012
Thanks to Kimberly Castleberry for letting us know about a the new “Prevent XMLRPC” plugin by Nathan Briggs.
The plugin makes it easy for users so you don't have to rename the file (see below). Once the vulnerability is fixed or to turn Pingbacks and trackbacks back on, just deactivate and delete the plugin.
If you would like to still disable trackbacks manually, following the steps below:
- Settings > Discussion
- Uncheck “
Important! Then as a safety precaution, Acunetix suggests renaming your xmlrpc.php file to something else.
How to rename WordPress xmlrpc.php file
- Log-in to your hosting server via SFTP through Filezilla or your favorite FTP program. Or through your cPanel > File Manager.
- Open your home directory (usually public_html) or where your WordPress is installed. (Tip: This is where your wp-activate.php file exists.)
- Find the xmlrpc.php file and Right-click then rename the file.
Until there is a WordPress security patch, I strongly suggest you follow the steps above to protect all your WordPress sites from this pingback vulnerability.
Leave Your Feedback
Have questions or concerns? Please leave your comment below.
Be sure to share this article with friends and colleagues so we can all help keep our sites safe.
Thanks for this info, Regina! So, renaming the xmlrpc.php file will not affect any blog functionality, correct? And can we rename it again after a fix has been issued for this vulnerability, or can it stay renamed forever? Thanks again for all you do for us WP’ers!
Great question! Renaming the file xmlrpc.php will not affect your blog’s functionality, but it will completely disable pingbacks and trackbacks while we’re waiting for a security fix.
Once WordPress issues a security patch, you will upgrade your site which will upload the new xmlrpc.php file (or it should). Check to see if the new file exists and then delete the “renamed” file from your system since you no longer need it.
Note: I have no information when this will be so in the interim make sure you rename that file on all your sites until we know it’s fixed for sure.
Great, thanks Regina. I have applied the fix now, fast and easy! 🙂
Hi Regina,
I turned off trackbacks and pings about six months ago. I did it because I was tired of spammers trying to get a trackback to my blog. Thanks for informing us WordPress users about this vulnerability.
Take Care.
Hi Justin,
Did you rename the xmlrpc.php file?
I hear you on the spammers trying to get a trackback, but I like to see who’s linking to me as a general rule and to help combat content scrapers out there.
Hi Regina, I wonder if you have heard of this. I have one client that keeps getting random subscriber notices but yet we have settings to not allow subscriptions; deactivated all possible plugins that could be allowing it yet they still keep coming. No sign of “subscribers” anywhere on back end we get the notifications for.
Hi Cyndi,
I would check a couple things. First look at the email notices and see if they are “spoofs” or actually coming from the blog. Then I would check the database through phpMyAdmin and look in the wp_users table for hidden users.
Is it possible you are using a plugin such as Subscribe to Comments?
I deactivated subscribe to comments and a few others just on the off chance it was them causing it but she’s still getting them. The email subject is: New User registration and “allegedly” comes from From: WordPress [mailto:[email protected]]
Hi Cyndi,
That sounds scary. I sent you a Skype contact request to you. Meet me over there in a few so we can figure this out.
You are so kind. In replying to you and giving you that info I realized it’s a site of hers that I didn’t design (I have 3 I did for her) so I was checking the wrong one — holiday crunch and all! Duh! I’m waiting for her to send me log-in info for it and make sure subscribe settings and such are looking good. Can I take you up on the offer if after I check it she still gets those emails?
Not a problem at all. Just send me a Skype if you need me. If I don’t answer right away I am combatting site issues and will get back to you ASAP.
This email comes because people ARE registering to your client’s site! If this is not wanted, I suggest you turn off the ability for folks to register. The way to do that is to log in to your dashboard, go under Settings > General and the UNCHECK the membership checkbox that says, “Anyone can register”.
Even though your client may not have a register page, others out there know where this page is. With this box checked, they can register and then get added your list of valid users on your site!
I hope this helps!
Be Well.
Paul.
Thanks, Paul. I just did this too. I don’t know why I was getting subscribers in there, but I now unchecked the box and deleted the ones in there. Not sure how that worked though. Thanks for the help.
Success! I went in there and she had checked off to allow subscribers, added security plugins and all that good stuff!!!!
Thanks for the info. I have been hacked before, so this ounce of prevention is greatly appreciated.
Thanks for pointing this out – I’m no shakes as a website engineer but I did follow your line of argument so will go ahead and do that disabling!
Thanks Regina for the update! I don’t quite get the potential danger. OK, the sites are vulnerable, but what exactly could happen? Cheers!
Hi Monica,
Basically, attackers can contact a large number of blogs and ask them to do pingbacks on targeted URLs. All of these sites will attack the target URL, thereby doing a DDoS. For more details on this pingback vulnerability click here.
I might have already got hacked as it won’t allow me to change settings. Is there anything I can do now?
Hi Peter,
Is the rest of your site running normal? Are you able to re-save your permalinks? I would try clearing your browser cache and cookies and try again. Also, are you running a caching plugin? If so, try clearing your site’s cache and try again.
For sure, rename the file and that will stop trackbacks and pingbacks even if you can’t change your settings.
Hi Regina,
I was able to un-check the box after deactivating all the plug-ins. After I reactivated them it came back as checked and the same problem ensued. I’m in the process of turning them on and off to find the offender. I also wanted to thank you for all the great advice you give here.
Thanks for letting me know Peter. Please give an update when you find out what the problem is.
Did you upgrade to WordPress 3.5 already? It could be an issue with your theme or plugin. Check http://wordpress.org/support/topic/troubleshooting-wordpress-35-master-list
Also, see my other post below
It was a plug-in called: Spam Free WordPress.
what about disabling xmlrpc?
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
Hi Chris,
I suppose that could be an option, but this is a temporary fix. Some that do that may forget when it’s fixed and want to enable them again. It’s easiest to rename the file.
Hi,
Alternatively you can also set a .htaccess file.
You should already have one in the root of your WordPress site (for permalinks)
Just add the following:
Deny from all
*sigh*
I hate how Apache configuration looks like HTML to every comment filter.. have a look at http://httpd.apache.org/docs/2.2/mod/core.html#files basically you want to add a Deny from all for the specific xmlrpc.php file
I’ve got a lot of WordPress sites and, oddly, this is happening on some sites and not others (voluminous amounts of pingbacks). I’ve disabled pingbacks and trackbacks, and, renamed the file to which you referred. I’m an idiot – I know a tiny bit about php…not much at all. The design of WordPress is pretty elegant. I would presume that it doesn’t include many superfluous files not critical to it’s function. What does renaming, and thereby disabling (presumably), the file “xmlrpc.php” do to WordPress? And I’m curious to see if all of this stops these darned things. My inbox is ringin’ off the hook with these pingback notifications.
Just updated this post about a new plugin that totally disables XMLRPC, preventing the recent Pingback spam vulnerability – See Update Here
To begin with, this isn’t “new”. The original trac ticket: http://core.trac.wordpress.org/ticket/4137 was opened SIX YEARS AGO. Ryan Boren, a WP core developer and Automattic employee, had this to say FOUR YEARS AGO: “There are so many ways to orchestrate a DDOS, I don’t know if this is worth bothering with. If someone feels otherwise, re-open with a patch that works with WP_Http.” In the last four years, no patches have been submitted or suggested.
A knowledgeable script kiddie can do port scans of a host without using XMLRPC. This “vulnerability” is overblown. Don’t look for a fix from the WP core team anytime soon. It’s not very high on their radar, if at all.
Hi Steve,
Thanks for sharing your opinion. While this was opened 6 years ago, it needs to be re-visited again since the release of the new script at https://github.com/FireFart/WordpressPingbackPortScanner that can take easily advantage of it. That ticket has been reopened and severity changed from minor to normal and is awaiting review.
Better to make people aware in the side of caution. I personally have disabled my trackbacks pending word from WordPress.
I have no desire to be argumentative, but that ‘port scanner’ is next to worthless. No reputable hosting company that I’m aware of exposes stray ports, and certainly none of the bigger ones – HostGator, BlueHost, GoDaddy, etc. – do. The only occasion where it MIGHT expose a security hole is if someone is running WP from their own home-based server and has neglected basic security – like a firewall. Of the several million+ WP installs facing the internet, I would be surprised if more than a handful are hosted on a vulnerable server setup. Finding those would be akin to looking for a needle a mountain-sized haystack.
The ticket severity was changed to ‘normal’ by JoeBlow – anyone with a login to trac can make changes to a ticket. ‘Awaiting review’ just means that it’s on the trac ticket waiting list, along with 1,585 others as of this moment.
Andrew Nacin, lead WP developer said, in ticket 21509 from 5 months ago (http://core.trac.wordpress.org/ticket/21509), regarding the default enabling of XML-RPC, “…Security is no greater a concern than the rest of core.
There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.”
Do you see wordpress.com turning off their XML-RPC?
It is just my opinion, of course, but I think this snowball was started down the hill by someone wanting to see their name in lights.
Trumpeting this thing as a security concern when it isn’t is not a good thing to do, IMHO.
You’re entitled to your opinion and I appreciate that. However I don’t agree that it is NOT a security concern. BTW, I wasn’t the snowball 😉
LOL – I know you weren’t the snowball 🙂
Maybe you can elaborate at some point as to why you think this is a security concern – it doesn’t expose any WP install or hosting account to any intruders whatsoever. If server admins thought it was a problem, you can bet they’d be up in arms over this, but I haven’t heard a peep.
Anyway – Happy New Year! You run a useful site, that’s why I stay on your list even though I may disagree at times ;-:
Thanks a lot for this article about how to have a strong WP security this is really great. Hackers hard to manage this. By the way I learn a lot and thanks a lot.
Hi Regina, its always nightmare for us, and I am little bit timid about my WordPress website even I kept backup and that’s the reason why i certainly not updating my WordPress blog to 3.5, because sometime there are spying eyes around our websites also who are in search of tiny fault to invoke their legs.
Thanks for the heads up Regina and the link to the plugin.
Thanks to Kimberly Castleberry for letting us know about a the new “Prevent XMLRPC” plugin by Nathan Briggs.
Looks as though I’m going to be busy tonight.
BTW – lots of security info here, just subscribed.
Wao! no more ping back and track back for now. I’m really going to miss that service. I hope something is done as soon as possible.
Well, I didn’t turned off trackback and and pingback yet. Is it really risky to let it turned on these days? is it fine if I let it turned on? because I saw there is not much trackbacks and pingbacks on my website. Thans for answer my question Regina 🙂
Regards,
Sawicka
You are doing a great service to us folks who use WordPress. Thank you.
Hi Regina,
I followed the instruction, given above, in regards to the renaming of xmlrpc.php, but I ended up seeing the whole public_html directory being empty. I renamed it as ‘xmlrpcc.php and saved it. Now, my website indicates as I enter the domain name, ‘Forbidden You don’t have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.’ Could you give me some possibilities you can think of why this happened.. and how I could find the file and set the directory, just as before. Thanks for your input, Regina!
Hi April,
I hope you got it figured out. Renaming your xmlrpc.php file should have nothing to do with emptying your public_html directory. Do you have a backup? If you need help, be sure to contact me.