Affects ALL Present
Versions of WordPress
A WordPress pingback vulnerability has been reported that could put your site’s security at risk for a distributed denial-of-service attack (DDoS) attack.
Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.
A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.
Which version of WordPress is affected?
While reading through comments on Bogdan’s article, it seems that all versions of WordPress, including even WordPress 3.5 are at risk.
How do you protect your WordPress blog from this pingback vulnerability?
According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your COMPLETE pingback/trackback system (known as xmlrpc) as follows:
Note from Kim: This patch is a “necessary evil” for the time being. I generally never recommend disabling this. However, at this time, it’s critical that you do so. Just re-enable it as soon as WordPress patches this vulnerability
Until there is a WordPress security patch, I strongly suggest you follow the steps below to protect all your WordPress sites from this pingback vulnerability.
How to deactivate WordPress xmlrpc.php file with a plugin
Note from Kim: If you do this, any tool that connects by xmlrpc will no longer work. Most likely this does not affect you but if you connect to your blog remotely using Windows Live Writer, etc… you will not be able to do so if you make this change.
My friend Nathan Briggs has just released a plugin that effectively deactivates the xmlrpc file. It actually does a better job than the manual deactivation because it does it in a way that does not cause WordPress to generate lots of log errors complaining about the missing file.
Get it => Prevent XMLRPC
Leave Your Feedback
Have questions or concerns? You can either leave them for me (Kim) below or you can visit with Regina at her site and ask her there!
Be sure to share this article with friends and colleagues so we can all help keep our sites safe.
Regina & Kim
PS: If you prior deactivated pingbacks/trackbacks in your dashboard – that didn’t solve as much as we hoped. It’s better to use this plugin. Then you can re-enable it in the dashboard. Then, once WP patches, you can remove this plugin and everything will “just work” again.