WordPress Security Warning: Pingback Vulnerability & Temporary Fix

December 20, 2012 · 11 comments

in WordPress

WordPress Security Warning: Pingback Vulnerability & Temporary Fix

image of a laptop shattered by a virusAffects ALL Present 
Versions of WordPress 

This article is courtesy of WPSecurityLock‘s  security pro, Regina Smola. (Thanks Regina!)

 A WordPress pingback vulnerability has been reported that could put your site’s security at risk for a distributed denial-of-service attack (DDoS) attack.

Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.

A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.

Which version of WordPress is affected?

While reading through comments on Bogdan’s article, it seems that all versions of WordPress, including even WordPress 3.5 are at risk.  

How do you protect your WordPress blog from this pingback vulnerability?

According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your COMPLETE pingback/trackback system (known as xmlrpc) as follows:

Note from Kim: This patch is a “necessary evil” for the time being. I generally never recommend disabling this. However, at this time, it’s critical that you do so. Just re-enable it as soon as WordPress patches this vulnerability

 Until there is a WordPress security patch, I strongly suggest you follow the steps below to protect all your WordPress sites from this pingback vulnerability. 

How to deactivate WordPress xmlrpc.php file with a plugin

Note from Kim: If you do this, any tool that connects by xmlrpc will no longer work. Most likely this does not affect you but if you connect to your blog remotely using Windows Live Writer, etc… you will not be able to do so if you make this change. 

My friend Nathan Briggs has just released a plugin that effectively deactivates the xmlrpc file. It actually does a better job than the manual deactivation because it does it in a way that does not cause WordPress to generate lots of log errors complaining about the missing file. 

Get it => Prevent XMLRPC

Leave Your Feedback

Have questions or concerns? You can either leave them for me (Kim) below or you can visit with Regina at her site and ask her there! 

Be sure to share this article with friends and colleagues so we can all help keep our sites safe.

Regina & Kim

PS: If you prior deactivated pingbacks/trackbacks in your dashboard – that didn’t solve as much as we hoped. It’s better to use this plugin. Then you can re-enable it in the dashboard. Then, once WP patches, you can remove this plugin and everything will “just work” again. 

Get The Inside Scoop!
social tripletKeep up with all the latest social marketing changes!


11 comments
Jan
Jan

Thanks for this info Kim! Just finished updating my sites with the plugin you recommended. Vigilance never ends - thanks for being on the front lines! Best wishes for 2013!!

Sue
Sue

I think I fixed my Hacker issue. Under Settings, General, I had.... Anyone Can Register checked. I have unchecked this now and am hoping for the best.

Sue
Sue

Hi, I am currently under Hacker attacks. They are able to come in and make themselves a User as Admin. When this first started happening, I hired a company for protection. Good, now I am safe. Only thing is that this December 23 and now 27th and 28th (most significantly) they are able to get in. Protection company has installed a plugin to try to track them/block them and find out how they are getting in. Of significance, a hacker got in last night beyond the plugin. Long story involved, but, could this vulnerability in this article be how they are getting in. I never had pingback/trackbacks checked, but as the article states, that does not matter. Just wondering what you think? I am continuing to work with my protection company here this morning in hopes of resolving this Most Distressing situation.

Nicole~
Nicole~

Thanks! I've added this to both of my sites. I am sure you will let us know when this security issue is corrected by wordpress.

marquita herald
marquita herald

Thanks for the heads up Kim - taken care of it all. Could grumble, but stuff happens, and the important thing is you helped us to avoid potential problems.

Sherryl Perry
Sherryl Perry

Kim,

As always, I appreciate you're taking the time to make us aware of issues like this. I've been dealing with severe performance issues on my site and I'm wondering if this vulnerability is contributing to it. I've taken the steps outlined here and in the article that you linked to. I have my fingers crossed that this will help with that problem as well as keep my site safe. Thanks so much!

Joe Emmet
Joe Emmet

Hi Kim,

What Chuck said!

I sometimes wonder what would happen if people used their "jenius" for positive endeavors. They would probably make a fortune.

Thanks for always being there to alert us to the dangers hackers pose on the ol' WP.

Joe

Steve
Steve

That is pretty scary I am going to read the vulnerability post originally made to see if they describe exactly what the scammers are doing.

Chuck Barnes
Chuck Barnes

Kim

Thanks for this information. It appears we must remain extremely vigilant in protecting our wordpress sites. The hackers out there truly amaze me with their unending ingenuity.

Thanks Again

CB

Michelle Phillips
Michelle Phillips

Hi Kim,

Thanks so much for this post! It wasn't the way I planned to start my day, but I did follow all of your advice and implemented the steps you outlined. Everything went smoothly. I try to stay on top of all this, but it's so helpful that you are one step ahead of me!

Question: what will it hurt to leave all of this in place once the vulnerability has been fixed? I do not remotely connect to my blog.

Thank you again!

Michelle Phillips

Chris MacLellan
Chris MacLellan

Hello Kimberly.

I have been following you for quite some time now and appreciate your advice. I am considering moving from WP.com to WP.org to enhance my blog 'The Purple Jacket'

What is the best rout to go and what are your fees to help in this process?

Looking forward to hearing from you!

Chris