WordPress Security Warning: Pingback Vulnerability & Temporary Fix

image of a laptop shattered by a virusAffects ALL Present 
Versions of WordPress 

This article is courtesy of WPSecurityLock‘s  security pro, Regina Smola. (Thanks Regina!)

 A WordPress pingback vulnerability has been reported that could put your site’s security at risk for a distributed denial-of-service attack (DDoS) attack.

Many WordPress bloggers use pingbacks and trackbacks to get notifications when someone links to their posts. I am one that likes to use them as well. But unfortunately, this new pingback vulnerability puts all our WordPress sites at risk.

A big thanks goes out to Bogdan Calin at Acunetix for his article “WordPress Pingback Vulnerability” to alert the public. He stated somebody posted on Redit about a WordPress scanner that is taking advantage of this new WordPress vulnerability. And even if you disable trackbacks, the threat still exists.

Which version of WordPress is affected?

While reading through comments on Bogdan’s article, it seems that all versions of WordPress, including even WordPress 3.5 are at risk.  

How do you protect your WordPress blog from this pingback vulnerability?

According to Bogdan, there is no current fix but it has been reported to WordPress and will probably be fixed soon. In the meantime, you can disable your COMPLETE pingback/trackback system (known as xmlrpc) as follows:

Note from Kim: This patch is a “necessary evil” for the time being. I generally never recommend disabling this. However, at this time, it’s critical that you do so. Just re-enable it as soon as WordPress patches this vulnerability

 Until there is a WordPress security patch, I strongly suggest you follow the steps below to protect all your WordPress sites from this pingback vulnerability. 

How to deactivate WordPress xmlrpc.php file with a plugin

Note from Kim: If you do this, any tool that connects by xmlrpc will no longer work. Most likely this does not affect you but if you connect to your blog remotely using Windows Live Writer, etc… you will not be able to do so if you make this change. 

My friend Nathan Briggs has just released a plugin that effectively deactivates the xmlrpc file. It actually does a better job than the manual deactivation because it does it in a way that does not cause WordPress to generate lots of log errors complaining about the missing file. 

Get it => Prevent XMLRPC

Leave Your Feedback

Have questions or concerns? You can either leave them for me (Kim) below or you can visit with Regina at her site and ask her there! 

Be sure to share this article with friends and colleagues so we can all help keep our sites safe.

Regina & Kim

PS: If you prior deactivated pingbacks/trackbacks in your dashboard – that didn’t solve as much as we hoped. It’s better to use this plugin. Then you can re-enable it in the dashboard. Then, once WP patches, you can remove this plugin and everything will “just work” again. 

Get The Inside Scoop!
social tripletKeep up with all the latest social marketing changes!

After Post Widget

This is where you can place your after content optin

Relevant Posts

This is the widget for relevant posts

Leave a Reply

11 Comments on "WordPress Security Warning: Pingback Vulnerability & Temporary Fix"

Chris MacLellan
2 years 5 months ago

Hello Kimberly.

I have been following you for quite some time now and appreciate your advice. I am considering moving from WP.com to WP.org to enhance my blog ‘The Purple Jacket’
What is the best rout to go and what are your fees to help in this process?

Looking forward to hearing from you!

2 years 5 months ago

Hi Kim,
Thanks so much for this post! It wasn’t the way I planned to start my day, but I did follow all of your advice and implemented the steps you outlined. Everything went smoothly. I try to stay on top of all this, but it’s so helpful that you are one step ahead of me!

Question: what will it hurt to leave all of this in place once the vulnerability has been fixed? I do not remotely connect to my blog.

Thank you again!
Michelle Phillips

2 years 5 months ago

Thanks for this information. It appears we must remain extremely vigilant in protecting our wordpress sites. The hackers out there truly amaze me with their unending ingenuity.

Thanks Again

2 years 5 months ago

That is pretty scary I am going to read the vulnerability post originally made to see if they describe exactly what the scammers are doing.

Joe Emmet
2 years 5 months ago

Hi Kim,

What Chuck said!

I sometimes wonder what would happen if people used their “jenius” for positive endeavors. They would probably make a fortune.

Thanks for always being there to alert us to the dangers hackers pose on the ol’ WP.