New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Wordpress XMLRPC Pingback
As many people know Wordpress Pingbacks are commonly used a Layer 7 amplification technique.
I am curious if anyone these days actually uses Pingbacks legitimately. Personally whenever I ran a Wordpress blog I would always disable them for the abused spam that they are, none the less. Thoughts?
Wordpress XMLRPC Pingbacks
- Yay or Nay?35 votes
- I dont run Wordpress28.57%
- Disabled62.86%
- Enabled  8.57%
Comments
I have probably over 100+ Wordpress sites and I block/deny xmlrpc on all of them through nginx. The only time I have needed it is for the ones which I use Jetpack on and for those I will rate-limit xmlrpc.
I've seen them used more in attacks then I've had any legitimate pingbacks! WordPress user agent disabled on all my servers...
This might be different for a big blog though.
Yea I disable them, it's also easy to block layer 7 attacks coming from infected sites because the signature is a constant user agent and I always recommend upgrading the software regularly for new website owners.
Of course there are other uses for XMLRPC, I am simply referring to blog pingbacks for now.
For those curious, currently we monitor for large spikes and then apply a deny filter. This is commonly how most companies (or at-least those who dont block either pingbacks or the WP UA entirely) do it.
Currently I am considering if it is worth the investment building a more intelligent system that would allow legitimate pingbacks through.
xmlrpc will be removed in future WP versions. They are in the last stages of adding a REST API to WP core and once that's perfected they will remove the legacy xmlrpc thing.
In the meantime you deny access to it.
@Abdussamad pingbacks will remain however? Got a source?
Pingbacks increase my search rating on Excite and Lycos!
Probably but you can turn those off in settings > discussion.
See here
Any chance to disable it on all my wp sites at once?
And any other tips for basic securing a WP site? Just installed one, and I tried to change the wp-admin page with no luck
Never use a pirated plugin/theme for starters.
Nah, just like 5 plugins, 2 of them cloudflare
Almost always block it if not rate limit the shit out of it. Some of the highest traffic I've seen is to that worthless php file.