How to Disable XML-RPC Pingback in WordPress?

You can publish articles remotely using a tablet, smartphone or Windows Live Writer thanks to WordPress’ fantastic XML-RPC tool. When you leave XML-RPC enabled on your WordPress blog, however, there is a risk. Recently, using xml-rpc on one of my WordPress blogs, an attacker forwarded spam traffic to multiple domains. Since this was an outdated version of WordPress (on a deprecated domain), even the xml-rpc could have been vulnerable to an attack. The xml-rpc in the most recent version of WordPress, however, worries me about its security. If you ever want to disable xml-rpc in WordPress, there are three ways to do so.

99% of pingbacks are spam. By sending a pingback notification and collecting link juice from the targeted website, as pingbacks are usually displayed as regular comments, spammers will try to link to their content. Additionally, by abusing the XML-RPC pingback features, Distributed Denial of Service (DDoS) attacks can be facilitated. By taking advantage of trusted blogs and websites, this vulnerability can persuade them to knowingly participate in DDoS attacks against particular websites.

How does Pingback DDoS work?

In order to launch a DDoS attack against a target system, a malicious hacker sends a large number of innocent WordPress blogs that have enabled specially designed pingbacks for pingback instructions, tricking them into believing that the perpetrator is the target system. By sending a deluge of responses, bloggers will unwittingly deliver erroneous traffic to the target system.

If you stop pingbacks, DDoS attacks against your blog are no longer possible. In fact, you just need to disable some of the supported XML-RPC features. If you don’t, you may run into problems with some of your plugins, like JetPack, which rely on XML-RPC to communicate with remote servers.

Method 1: use on-board means

The easiest solution is to uncheck the item in WordPress settings. Under Settings->Discussion, uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks)”. Select “Save Changes” after that.

This will only block pingbacks (and trackbacks) for upcoming posts and pages; it will not impact current posts and pages. In order to additionally deactivate already existing posts and pages, you need to run a few SQL queries. You can use the phpMyAdmin tool for this. Simply search for the phpMyAdmin tool in the CPanel control panel of your web hosting account. Once there, locate the blog database and select the SQL tab. then type the following commands:

[UPDATE wp_posts SET ping_status=’closed’

WHERE post_status = ‘publish’ AND post_type = ‘post’;


UPDATE wp_posts SET ping_status=’closed’

WHERE post_status = ‘publish’ AND post_type = ‘page’;]

To find out which database your blog uses, follow these steps:

  1. Connect to your hosting account with an FTP client, for example, WinSCP;
  2. Go to the root directory of your site, usually public_html;
  3. Locate and open to view wp-config.phpcase;
  4. In this file, locate the string DB_NAME; this should take you to a statement like this: define(‘DB_NAME’, ‘pref_wp239’); The second parameter is the database name.

Method 2: Use plugins

One of the simplest of them that does exactly what it says is disable-xml-rpc-pingback. This free plugin only disables the pingback part of the XML-RPC API.

Just go to Plugins->Add New and enter “disable xml rpc pingback” in the search box. Then install “Disable XML-RPC pingbackby Samuel Aguilera. Once done, you need to activate it.

Method 3: A little coding

have to go to Appearance->EditorSo choose functions.php and add this code at the end:

[// disable pingbacks

add_filter( ‘xmlrpc_methods’, function( $methods ) {

unset( $methods[‘’] );

returns $methods;

} );]

Don’t forget to click “Update file” Once finished.

Add Comment