We’ve seen many WordPress sites being abused recently via the Pingback function in xmlrpc.php. Here are some good articles on the topic:
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/
If you don’t need xmlrpc.php or Pinkbacks then we recommend that you block xmlrpc.php in your .htaccess file by adding code like this:
1 2 3 4 5 |
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> |
Or you could rename or remove the xmlrpc.php file.
Here’s the config to block xmlrpc.php from Nginx:
1 2 3 |
location = /xmlrpc.php { deny all; } |