• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

WordPress Security Warning: Pingback Vulnerability & Temporary Fix

December 19, 2012 By Regina Smola 42 Comments

WordPress Pingback VulnerabilityA WordPress pingback vulnerability has been reported that could put your site's security at risk for a distributed denial-of-service attack (DDoS) attack.

Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.

A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.

Which version of WordPress is affected?

While reading through comments on Bogdan's article, it seems that even WordPress 3.5 is at risk. So it looks like all versions.

guly
actually in my overnight tests i found that a blog post where trackbacks are disabled isn’t vulnerable. disabling it worked as a fix for my test installation, of course YMMV.

Bogdan Calin
That’s not my experience. In my case it worked even if trackbacks were disabled. I’ve tested on WordPress 3.5.

Source: http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/#comment-33097

How do you protect your WordPress blog from this pingback vulnerability?

According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your pingbacks and trackbacks from your WordPress Dashboard as follows:

UPDATE: 12/29/2012

Thanks to Kimberly Castleberry for letting us know about a the new “Prevent XMLRPC” plugin by Nathan Briggs.

The plugin makes it easy for users so you don't have to rename the file (see below). Once the vulnerability is fixed or to turn Pingbacks and trackbacks back on, just deactivate and delete the plugin.

If you would like to still disable trackbacks manually, following the steps below:

  1. Settings > Discussion
  2. Uncheck “

Important! Then as a safety precaution, Acunetix suggests renaming your xmlrpc.php file to something else.

How to rename WordPress xmlrpc.php file

  1. Log-in to your hosting server via SFTP through Filezilla or your favorite FTP program. Or through your cPanel > File Manager.
  2. Open your home directory (usually public_html) or where your WordPress is installed. (Tip: This is where your wp-activate.php file exists.)
  3. Find the xmlrpc.php file and Right-click then rename the file.

Until there is a WordPress security patch, I strongly suggest you follow the steps above to protect all your WordPress sites from this pingback vulnerability.

Leave Your Feedback

Have questions or concerns? Please leave your comment below.

Be sure to share this article with friends and colleagues so we can all help keep our sites safe.

Filed Under: Bugs & Vulnerabilities Tagged With: DDos, fix wordpress vulnerabilities, pingback vulnerability

Reader Interactions

Comments

  1. Wayne Harriman says

    December 19, 2012 at 11:57 am

    Thanks for this info, Regina! So, renaming the xmlrpc.php file will not affect any blog functionality, correct? And can we rename it again after a fix has been issued for this vulnerability, or can it stay renamed forever? Thanks again for all you do for us WP’ers!

    Reply
    • Regina Smola says

      December 19, 2012 at 12:04 pm

      Great question! Renaming the file xmlrpc.php will not affect your blog’s functionality, but it will completely disable pingbacks and trackbacks while we’re waiting for a security fix.

      Once WordPress issues a security patch, you will upgrade your site which will upload the new xmlrpc.php file (or it should). Check to see if the new file exists and then delete the “renamed” file from your system since you no longer need it.

      Note: I have no information when this will be so in the interim make sure you rename that file on all your sites until we know it’s fixed for sure.

      Reply
      • Wayne Harriman says

        December 19, 2012 at 12:38 pm

        Great, thanks Regina. I have applied the fix now, fast and easy! 🙂

        Reply
  2. Justin says

    December 19, 2012 at 10:10 am

    Hi Regina,
    I turned off trackbacks and pings about six months ago. I did it because I was tired of spammers trying to get a trackback to my blog. Thanks for informing us WordPress users about this vulnerability.

    Take Care.

    Reply
    • Regina Smola says

      December 19, 2012 at 10:41 am

      Hi Justin,

      Did you rename the xmlrpc.php file?

      I hear you on the spammers trying to get a trackback, but I like to see who’s linking to me as a general rule and to help combat content scrapers out there.

      Reply
  3. Cyndi says

    December 19, 2012 at 10:58 am

    Hi Regina, I wonder if you have heard of this. I have one client that keeps getting random subscriber notices but yet we have settings to not allow subscriptions; deactivated all possible plugins that could be allowing it yet they still keep coming. No sign of “subscribers” anywhere on back end we get the notifications for.

    Reply
    • Regina Smola says

      December 19, 2012 at 11:18 am

      Hi Cyndi,

      I would check a couple things. First look at the email notices and see if they are “spoofs” or actually coming from the blog. Then I would check the database through phpMyAdmin and look in the wp_users table for hidden users.

      Is it possible you are using a plugin such as Subscribe to Comments?

      Reply
      • Cyndi says

        December 19, 2012 at 11:21 am

        I deactivated subscribe to comments and a few others just on the off chance it was them causing it but she’s still getting them. The email subject is: New User registration and “allegedly” comes from From: WordPress [mailto:[email protected]]

        Reply
        • Regina Smola says

          December 19, 2012 at 11:23 am

          Hi Cyndi,

          That sounds scary. I sent you a Skype contact request to you. Meet me over there in a few so we can figure this out.

          Reply
          • Cyndi says

            December 19, 2012 at 11:27 am

            You are so kind. In replying to you and giving you that info I realized it’s a site of hers that I didn’t design (I have 3 I did for her) so I was checking the wrong one — holiday crunch and all! Duh! I’m waiting for her to send me log-in info for it and make sure subscribe settings and such are looking good. Can I take you up on the offer if after I check it she still gets those emails?

          • Regina Smola says

            December 19, 2012 at 11:54 am

            Not a problem at all. Just send me a Skype if you need me. If I don’t answer right away I am combatting site issues and will get back to you ASAP.

          • Paul B. Taubman, II says

            December 19, 2012 at 12:34 pm

            This email comes because people ARE registering to your client’s site! If this is not wanted, I suggest you turn off the ability for folks to register. The way to do that is to log in to your dashboard, go under Settings > General and the UNCHECK the membership checkbox that says, “Anyone can register”.

            Even though your client may not have a register page, others out there know where this page is. With this box checked, they can register and then get added your list of valid users on your site!

            I hope this helps!

            Be Well.
            Paul.

          • Amy Hagerup says

            December 19, 2012 at 3:30 pm

            Thanks, Paul. I just did this too. I don’t know why I was getting subscribers in there, but I now unchecked the box and deleted the ones in there. Not sure how that worked though. Thanks for the help.

          • Cyndi says

            December 19, 2012 at 2:31 pm

            Success! I went in there and she had checked off to allow subscribers, added security plugins and all that good stuff!!!!

          • June says

            December 19, 2012 at 12:14 pm

            Thanks for the info. I have been hacked before, so this ounce of prevention is greatly appreciated.

  4. Steverob says

    December 19, 2012 at 11:35 am

    Thanks for pointing this out – I’m no shakes as a website engineer but I did follow your line of argument so will go ahead and do that disabling!

    Reply
  5. Monica says

    December 19, 2012 at 12:28 pm

    Thanks Regina for the update! I don’t quite get the potential danger. OK, the sites are vulnerable, but what exactly could happen? Cheers!

    Reply
    • Regina Smola says

      December 19, 2012 at 12:39 pm

      Hi Monica,

      Basically, attackers can contact a large number of blogs and ask them to do pingbacks on targeted URLs. All of these sites will attack the target URL, thereby doing a DDoS. For more details on this pingback vulnerability click here.

      A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
      Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
      A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.
      Source: http://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack

      Reply
  6. Peter says

    December 19, 2012 at 3:15 pm

    I might have already got hacked as it won’t allow me to change settings. Is there anything I can do now?

    Reply
    • Regina Smola says

      December 19, 2012 at 6:25 pm

      Hi Peter,

      Is the rest of your site running normal? Are you able to re-save your permalinks? I would try clearing your browser cache and cookies and try again. Also, are you running a caching plugin? If so, try clearing your site’s cache and try again.

      For sure, rename the file and that will stop trackbacks and pingbacks even if you can’t change your settings.

      Reply
      • Peter says

        December 20, 2012 at 4:22 pm

        Hi Regina,

        I was able to un-check the box after deactivating all the plug-ins. After I reactivated them it came back as checked and the same problem ensued. I’m in the process of turning them on and off to find the offender. I also wanted to thank you for all the great advice you give here.

        Reply
        • Regina Smola says

          December 20, 2012 at 4:39 pm

          Thanks for letting me know Peter. Please give an update when you find out what the problem is.

          Did you upgrade to WordPress 3.5 already? It could be an issue with your theme or plugin. Check http://wordpress.org/support/topic/troubleshooting-wordpress-35-master-list

          Also, see my other post below

          Reply
          • Peter says

            December 20, 2012 at 4:48 pm

            It was a plug-in called: Spam Free WordPress.

  7. chrismccoy says

    December 20, 2012 at 12:37 pm

    what about disabling xmlrpc?

    add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

    Reply
    • Regina Smola says

      December 20, 2012 at 12:41 pm

      Hi Chris,

      I suppose that could be an option, but this is a temporary fix. Some that do that may forget when it’s fixed and want to enable them again. It’s easiest to rename the file.

      Reply
  8. Barry van Someren says

    December 21, 2012 at 2:30 am

    Hi,

    Alternatively you can also set a .htaccess file.
    You should already have one in the root of your WordPress site (for permalinks)

    Just add the following:

    Deny from all

    Reply
    • Barry van Someren says

      December 21, 2012 at 2:33 am

      *sigh*
      I hate how Apache configuration looks like HTML to every comment filter.. have a look at http://httpd.apache.org/docs/2.2/mod/core.html#files basically you want to add a Deny from all for the specific xmlrpc.php file

      Reply
  9. Guy Merritt says

    December 28, 2012 at 10:13 am

    I’ve got a lot of WordPress sites and, oddly, this is happening on some sites and not others (voluminous amounts of pingbacks). I’ve disabled pingbacks and trackbacks, and, renamed the file to which you referred. I’m an idiot – I know a tiny bit about php…not much at all. The design of WordPress is pretty elegant. I would presume that it doesn’t include many superfluous files not critical to it’s function. What does renaming, and thereby disabling (presumably), the file “xmlrpc.php” do to WordPress? And I’m curious to see if all of this stops these darned things. My inbox is ringin’ off the hook with these pingback notifications.

    Reply
  10. Regina Smola says

    December 29, 2012 at 8:34 am

    Just updated this post about a new plugin that totally disables XMLRPC, preventing the recent Pingback spam vulnerability – See Update Here

    Reply
  11. Steve Johnson says

    December 30, 2012 at 10:40 am

    To begin with, this isn’t “new”. The original trac ticket: http://core.trac.wordpress.org/ticket/4137 was opened SIX YEARS AGO. Ryan Boren, a WP core developer and Automattic employee, had this to say FOUR YEARS AGO: “There are so many ways to orchestrate a DDOS, I don’t know if this is worth bothering with. If someone feels otherwise, re-open with a patch that works with WP_Http.” In the last four years, no patches have been submitted or suggested.

    A knowledgeable script kiddie can do port scans of a host without using XMLRPC. This “vulnerability” is overblown. Don’t look for a fix from the WP core team anytime soon. It’s not very high on their radar, if at all.

    Reply
    • Regina Smola says

      December 31, 2012 at 2:38 pm

      Hi Steve,

      Thanks for sharing your opinion. While this was opened 6 years ago, it needs to be re-visited again since the release of the new script at https://github.com/FireFart/WordpressPingbackPortScanner that can take easily advantage of it. That ticket has been reopened and severity changed from minor to normal and is awaiting review.

      Better to make people aware in the side of caution. I personally have disabled my trackbacks pending word from WordPress.

      Reply
      • Steve Johnson says

        December 31, 2012 at 4:17 pm

        I have no desire to be argumentative, but that ‘port scanner’ is next to worthless. No reputable hosting company that I’m aware of exposes stray ports, and certainly none of the bigger ones – HostGator, BlueHost, GoDaddy, etc. – do. The only occasion where it MIGHT expose a security hole is if someone is running WP from their own home-based server and has neglected basic security – like a firewall. Of the several million+ WP installs facing the internet, I would be surprised if more than a handful are hosted on a vulnerable server setup. Finding those would be akin to looking for a needle a mountain-sized haystack.

        The ticket severity was changed to ‘normal’ by JoeBlow – anyone with a login to trac can make changes to a ticket. ‘Awaiting review’ just means that it’s on the trac ticket waiting list, along with 1,585 others as of this moment.

        Andrew Nacin, lead WP developer said, in ticket 21509 from 5 months ago (http://core.trac.wordpress.org/ticket/21509), regarding the default enabling of XML-RPC, “…Security is no greater a concern than the rest of core.

        There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.”

        Do you see wordpress.com turning off their XML-RPC?

        It is just my opinion, of course, but I think this snowball was started down the hill by someone wanting to see their name in lights.

        Trumpeting this thing as a security concern when it isn’t is not a good thing to do, IMHO.

        Reply
        • Regina Smola says

          December 31, 2012 at 4:51 pm

          You’re entitled to your opinion and I appreciate that. However I don’t agree that it is NOT a security concern. BTW, I wasn’t the snowball 😉

          Reply
          • Steve Johnson says

            December 31, 2012 at 5:11 pm

            LOL – I know you weren’t the snowball 🙂

            Maybe you can elaborate at some point as to why you think this is a security concern – it doesn’t expose any WP install or hosting account to any intruders whatsoever. If server admins thought it was a problem, you can bet they’d be up in arms over this, but I haven’t heard a peep.

            Anyway – Happy New Year! You run a useful site, that’s why I stay on your list even though I may disagree at times ;-:

  12. Shane Curtis says

    January 10, 2013 at 6:42 pm

    Thanks a lot for this article about how to have a strong WP security this is really great. Hackers hard to manage this. By the way I learn a lot and thanks a lot.

    Reply
  13. Ranjan says

    January 15, 2013 at 4:45 am

    Hi Regina, its always nightmare for us, and I am little bit timid about my WordPress website even I kept backup and that’s the reason why i certainly not updating my WordPress blog to 3.5, because sometime there are spying eyes around our websites also who are in search of tiny fault to invoke their legs.

    Reply
  14. Keith Davis says

    January 15, 2013 at 7:24 am

    Thanks for the heads up Regina and the link to the plugin.

    Thanks to Kimberly Castleberry for letting us know about a the new “Prevent XMLRPC” plugin by Nathan Briggs.

    Looks as though I’m going to be busy tonight.

    BTW – lots of security info here, just subscribed.

    Reply
  15. Iteire Apollos says

    January 17, 2013 at 9:20 pm

    Wao! no more ping back and track back for now. I’m really going to miss that service. I hope something is done as soon as possible.

    Reply
  16. Sawicka says

    January 22, 2013 at 7:38 am

    Well, I didn’t turned off trackback and and pingback yet. Is it really risky to let it turned on these days? is it fine if I let it turned on? because I saw there is not much trackbacks and pingbacks on my website. Thans for answer my question Regina 🙂

    Regards,

    Sawicka

    Reply
  17. Geetu R Vaswani says

    January 27, 2013 at 1:53 am

    You are doing a great service to us folks who use WordPress. Thank you.

    Reply
  18. April says

    May 2, 2013 at 6:00 am

    Hi Regina,
    I followed the instruction, given above, in regards to the renaming of xmlrpc.php, but I ended up seeing the whole public_html directory being empty. I renamed it as ‘xmlrpcc.php and saved it. Now, my website indicates as I enter the domain name, ‘Forbidden You don’t have permission to access / on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.’ Could you give me some possibilities you can think of why this happened.. and how I could find the file and set the directory, just as before. Thanks for your input, Regina!

    Reply
    • Regina Smola says

      May 24, 2013 at 8:22 am

      Hi April,

      I hope you got it figured out. Renaming your xmlrpc.php file should have nothing to do with emptying your public_html directory. Do you have a backup? If you need help, be sure to contact me.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2025 | WP Security Lock, Inc