A WordPress pingback vulnerability has been reported that could put your site's security at risk for a distributed denial-of-service attack (DDoS) attack.
Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.
A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.
Which version of WordPress is affected?
While reading through comments on Bogdan's article, it seems that even WordPress 3.5 is at risk. So it looks like all versions.
actually in my overnight tests i found that a blog post where trackbacks are disabled isn’t vulnerable. disabling it worked as a fix for my test installation, of course YMMV.
That’s not my experience. In my case it worked even if trackbacks were disabled. I’ve tested on WordPress 3.5.
How do you protect your WordPress blog from this pingback vulnerability?
According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your pingbacks and trackbacks from your WordPress Dashboard as follows:
The plugin makes it easy for users so you don't have to rename the file (see below). Once the vulnerability is fixed or to turn Pingbacks and trackbacks back on, just deactivate and delete the plugin.
If you would like to still disable trackbacks manually, following the steps below:
- Settings > Discussion
- Uncheck “
Important! Then as a safety precaution, Acunetix suggests renaming your xmlrpc.php file to something else.
How to rename WordPress xmlrpc.php file
- Log-in to your hosting server via SFTP through Filezilla or your favorite FTP program. Or through your cPanel > File Manager.
- Open your home directory (usually public_html) or where your WordPress is installed. (Tip: This is where your wp-activate.php file exists.)
- Find the xmlrpc.php file and Right-click then rename the file.
Until there is a WordPress security patch, I strongly suggest you follow the steps above to protect all your WordPress sites from this pingback vulnerability.
Leave Your Feedback
Have questions or concerns? Please leave your comment below.
Be sure to share this article with friends and colleagues so we can all help keep our sites safe.