Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Wordpress XMLRPC Pingback
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress XMLRPC Pingback

SplitIceSplitIce Member, Host Rep
in General

As many people know Wordpress Pingbacks are commonly used a Layer 7 amplification technique.

I am curious if anyone these days actually uses Pingbacks legitimately. Personally whenever I ran a Wordpress blog I would always disable them for the abused spam that they are, none the less. Thoughts?

Wordpress XMLRPC Pingbacks
  1. Yay or Nay?35 votes
    1. I dont run Wordpress
      28.57%
    2. Disabled
      62.86%
    3. Enabled
        8.57%

Comments

  • sinsin Member

    I have probably over 100+ Wordpress sites and I block/deny xmlrpc on all of them through nginx. The only time I have needed it is for the ones which I use Jetpack on and for those I will rate-limit xmlrpc.

  • linuxthefishlinuxthefish Member

    I've seen them used more in attacks then I've had any legitimate pingbacks! WordPress user agent disabled on all my servers...

    This might be different for a big blog though.

    Thanked by 1doghouch
  • MacPacMacPac Member
    edited June 2016

    Yea I disable them, it's also easy to block layer 7 attacks coming from infected sites because the signature is a constant user agent and I always recommend upgrading the software regularly for new website owners.

  • SplitIceSplitIce Member, Host Rep
    edited June 2016

    Of course there are other uses for XMLRPC, I am simply referring to blog pingbacks for now.

    For those curious, currently we monitor for large spikes and then apply a deny filter. This is commonly how most companies (or at-least those who dont block either pingbacks or the WP UA entirely) do it.

    Currently I am considering if it is worth the investment building a more intelligent system that would allow legitimate pingbacks through.

  • AbdussamadAbdussamad Member

    xmlrpc will be removed in future WP versions. They are in the last stages of adding a REST API to WP core and once that's perfected they will remove the legacy xmlrpc thing.

    In the meantime you deny access to it.

  • SplitIceSplitIce Member, Host Rep

    @Abdussamad pingbacks will remain however? Got a source?

  • raindog308raindog308 Administrator, Veteran

    Pingbacks increase my search rating on Excite and Lycos!

    Thanked by 6SplitIce lbft Damian netomx Francisco tux
  • AbdussamadAbdussamad Member

    SplitIce said: pingbacks will remain however?

    Probably but you can turn those off in settings > discussion.

    Got a source?

    See here

    Thanked by 1theroyalstudent
  • WHTWHT Member

    Any chance to disable it on all my wp sites at once?

    Thanked by 1netomx
  • netomxnetomx Moderator, Veteran

    And any other tips for basic securing a WP site? Just installed one, and I tried to change the wp-admin page with no luck :/

  • NomadNomad Member

    @netomx said:
    And any other tips for basic securing a WP site? Just installed one, and I tried to change the wp-admin page with no luck :/

    Never use a pirated plugin/theme for starters.

  • netomxnetomx Moderator, Veteran

    @Nomad said:

    @netomx said:
    And any other tips for basic securing a WP site? Just installed one, and I tried to change the wp-admin page with no luck :/

    Never use a pirated plugin/theme for starters.

    Nah, just like 5 plugins, 2 of them cloudflare

  • agoldenbergagoldenberg Member, Host Rep

    Almost always block it if not rate limit the shit out of it. Some of the highest traffic I've seen is to that worthless php file.

Sign In or Register to comment.