May 1, 2013

Posted in:

Tagged:


WordPress Pingback, XML-RPC and Trackback

By default, installations of WordPress allow pingback/trackback and XML-RPC. What pingback/trackback does is attempt to notify a URL linked within a blog that content was posted. WordPress offers the following explanation:

  • Person A posts something on his blog.
  • Person B posts on her own blog, linking to Person A’s post. This automatically sends a pingback to Person A when both have pingback enabled blogs.
  • Person A’s blog receives the pingback, then automatically goes to Person B’s post to confirm that the pingback did, in fact, originate there.

With a specially crafted URL, an attacker’s server will distribute a pingback with the victim’s URL (a legitimate site) and then can potentially flood the legitimate site with traffic, also known as a Distributed Denial of Service (DDoS). More information about this can be found on Incapsula’s article: WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks

At the current time, there is no update or fix for this other than turning off WordPress pingback/trackbacks and XML-RPC. See our KB article on disabling this functionality.

Go back