Celebrating 20 years online :)
Web Dev + WordPress + Security

Protection for WordPress Pingback Vulnerability

It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file.

Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.).
Update: Check out the alternate method to whitelist specific IPs while protecting against threats.

About the Pingback Vulnerability

According to this article, there are four ways that WP‘s XML-RPC API (specifically, the pingback.ping method) could be abused by an attacker:

  • Intel gathering — attacker may probe for specific ports in the target’s internal network
  • Port scanning — attacker may port-scan hosts in the internal network
  • DoS attacks — attacker may pingback via large number of sites for DoS attack
  • Router hacking — attacker may reconfigure an internal router on the network

Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the pingback.ping method. No need to rehash everything here :)

Protect against WordPress Pingback Vulnerability

If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:

# protect xmlrpc
<IfModule mod_alias.c>
	RedirectMatch 403 /xmlrpc.php

Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:

# protect xmlrpc
<IfModule mod_alias.c>
	Redirect 301 /xmlrpc.php http://example.com/custom-page.php

Alternate .htaccess method

Here is an alternate .htaccess technique for denying all access to xmlrpc.php:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all

Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
	Allow from 321.654.987

Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.

For further discussion, check out my post at DigWP.com: The xmlrpc.php File and Site Security.

Thanks to Yael K. Miller for bringing this to my attention.

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
The Tao of WordPress: Master the art of WordPress.

23 responses to “Protection for WordPress Pingback Vulnerability”

  1. Excellent, thanks for the heads up!

  2. Yael K. Miller 2013/01/03 10:25 am

    Thanks for writing this post.

    There is a plugin Prevent XMLRPC that disables XMLRPC. But I know you prefer .htaccess solutions to plugin ones if possible. Plus, one of your methods allows white-listing which is a great option.

    And I wouldn’t hold my breathe about an official WordPress fix. The issue was reported 6 years ago and Priority is set to “low.”

    • Jeff Starr 2013/01/03 5:48 pm

      You’re welcome :)

      Thanks for the tip on Prevent XMLRPC — I should’ve checked for a plugin, they’re useful for a lot of folks. As you mention, I prefer handling HTTP activity with .htaccess for better performance, which is beneficial during DoS attacks, aggressive scans, etc. For this particular threat, I think either is fine.

      Yeh.. not holding my breath, but hopeful for a fix.

  3. simple and neat trick. Thanks

  4. janw.oostendorp 2013/01/04 2:08 am

    Don’t forget that the mobile apps also use the XMLRPC

  5. Daniel Carrero 2013/01/04 11:22 am

    Hi thanks for this tip
    Just a question: why only delete or rename the file or put some header() in the first line on xmlrpc.php file?
    Thanks again :)

    • Hi Daniel, yes that’s also an effective technique, but not mentioned in the article because it goes against the idea of “not hacking the WP core,” which tends to upset a few highly outspoken folks :)

  6. Michael Clark 2013/01/04 4:51 pm

    Is there ever a valid reason for a web browser to access a WordPress site’s xmlrpc.php file? Glancing through my server logs, I see many requests for it. Many give a referer from a page on the site itself. I guess pingbacks are valid, but it’s been a long time since I’ve gotten a non-spam pingback.

    Note: comment edited for clarity

  7. Vernessa Taylor 2013/01/04 9:52 pm

    Just moved all my sites to a VPS and was ready to install latest version of WP when I came across convos about this vulnerability. Thanks for the .htaccess method of protection. Some of the alternatives were a bit involved.

    Appreciate Yael K. Miller’s input on the plugin, too … Something I can share.

  8. I ve added the WordPress limit login attempts plugin and since than adding it I find that my wordpress is probed daily for username and pws along with other things like out of date themes. I believe simple user names and short pws will no longer do if you want hackers not to gain access to your WordPress blog.

  9. Nice one ! I’m new to the WP world and any and all information is useful. Thanks

  10. Keith Davis 2013/01/21 1:34 pm

    Vernessa T – I’m using the plugin.
    Used it on a few sites, which means I can just remove it if the problem is ever sorted.

    • Likewise the .htaccess snippet can be removed anytime, and it’s better for site performance than using a plugin.

  11. Yael K. Miller 2013/01/25 9:47 am

    Is this no longer necessary with WordPress 3.5.1?

  12. When I’m checking “http://mysite.com/xmlrpc.php” I got this message, what is it mean? My XML-RPC not protected? XML-RPC server accepts POST requests only is a good sign for security?

    • Jeff Starr 2013/02/08 4:23 pm

      That is the default/normal response for non-POST requests.. nothing to worry about (but make sure you’re running the latest version of WP).

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.