We’ve seen many WordPress sites being abused recently via the Pingback function in xmlrpc.php. Here are some good articles on the topic:
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/
If you don’t need xmlrpc.php or Pinkbacks then we recommend that you block xmlrpc.php in your .htaccess file by adding code like this:
|
1 2 3 4 5 |
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> |
Or you could rename or remove the xmlrpc.php file.
Here’s the config to block xmlrpc.php from Nginx:
|
1 2 3 |
location = /xmlrpc.php { deny all; } |





3 Responses
Thanks for this. We were getting hit with DDOS pingback spam and wanted to ease the server load and then focus on capturing logs of what they were at.
Cheers!
Glad we could help!
Bardzo dobre rozwiązanie zastosowane na http:gongo.pl dobrze działa