Save 25% on our pro plugins with coupon code: SPRING2023
Web Dev + WordPress + Security

Protection for WordPress Pingback Vulnerability

It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file.

Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.).
Update: Check out the alternate method to whitelist specific IPs while protecting against threats.

About the Pingback Vulnerability

According to this article, there are four ways that WP‘s XML-RPC API (specifically, the method) could be abused by an attacker:

  • Intel gathering — attacker may probe for specific ports in the target’s internal network
  • Port scanning — attacker may port-scan hosts in the internal network
  • DoS attacks — attacker may pingback via large number of sites for DoS attack
  • Router hacking — attacker may reconfigure an internal router on the network

Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the method. No need to rehash everything here :)

Protect against WordPress Pingback Vulnerability

If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:

# protect xmlrpc
<IfModule mod_alias.c>
	RedirectMatch 403 /xmlrpc.php

Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:

# protect xmlrpc
<IfModule mod_alias.c>
	Redirect 301 /xmlrpc.php

Alternate .htaccess method

Here is an alternate .htaccess technique for denying all access to xmlrpc.php:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all

Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
	Allow from 321.654.987

Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.

For further discussion, check out my post at The xmlrpc.php File and Site Security.

Thanks to Yael K. Miller for bringing this to my attention.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
Banhammer: Protect your WordPress site against threats.

23 responses to “Protection for WordPress Pingback Vulnerability”

  1. Avatar photo

    Excellent, thanks for the heads up!

  2. Avatar photo
    Yael K. Miller 2013/01/03 10:25 am

    Thanks for writing this post.

    There is a plugin Prevent XMLRPC that disables XMLRPC. But I know you prefer .htaccess solutions to plugin ones if possible. Plus, one of your methods allows white-listing which is a great option.

    And I wouldn’t hold my breathe about an official WordPress fix. The issue was reported 6 years ago and Priority is set to “low.”

    • Avatar photo
      Jeff Starr 2013/01/03 5:48 pm

      You’re welcome :)

      Thanks for the tip on Prevent XMLRPC — I should’ve checked for a plugin, they’re useful for a lot of folks. As you mention, I prefer handling HTTP activity with .htaccess for better performance, which is beneficial during DoS attacks, aggressive scans, etc. For this particular threat, I think either is fine.

      Yeh.. not holding my breath, but hopeful for a fix.

  3. Avatar photo

    simple and neat trick. Thanks

  4. Avatar photo
    janw.oostendorp 2013/01/04 2:08 am

    Don’t forget that the mobile apps also use the XMLRPC

  5. Avatar photo
    Daniel Carrero 2013/01/04 11:22 am

    Hi thanks for this tip
    Just a question: why only delete or rename the file or put some header() in the first line on xmlrpc.php file?
    Thanks again :)

    • Avatar photo

      Hi Daniel, yes that’s also an effective technique, but not mentioned in the article because it goes against the idea of “not hacking the WP core,” which tends to upset a few highly outspoken folks :)

  6. Avatar photo
    Michael Clark 2013/01/04 4:51 pm

    Is there ever a valid reason for a web browser to access a WordPress site’s xmlrpc.php file? Glancing through my server logs, I see many requests for it. Many give a referer from a page on the site itself. I guess pingbacks are valid, but it’s been a long time since I’ve gotten a non-spam pingback.

    Note: comment edited for clarity

  7. Avatar photo
    Vernessa Taylor 2013/01/04 9:52 pm

    Just moved all my sites to a VPS and was ready to install latest version of WP when I came across convos about this vulnerability. Thanks for the .htaccess method of protection. Some of the alternatives were a bit involved.

    Appreciate Yael K. Miller’s input on the plugin, too … Something I can share.

  8. I ve added the WordPress limit login attempts plugin and since than adding it I find that my wordpress is probed daily for username and pws along with other things like out of date themes. I believe simple user names and short pws will no longer do if you want hackers not to gain access to your WordPress blog.

  9. Avatar photo

    Nice one ! I’m new to the WP world and any and all information is useful. Thanks

  10. Avatar photo
    Keith Davis 2013/01/21 1:34 pm

    Vernessa T – I’m using the plugin.
    Used it on a few sites, which means I can just remove it if the problem is ever sorted.

    • Likewise the .htaccess snippet can be removed anytime, and it’s better for site performance than using a plugin.

  11. Avatar photo
    Yael K. Miller 2013/01/25 9:47 am

    Is this no longer necessary with WordPress 3.5.1?

  12. Avatar photo

    When I’m checking “” I got this message, what is it mean? My XML-RPC not protected? XML-RPC server accepts POST requests only is a good sign for security?

    • Avatar photo
      Jeff Starr 2013/02/08 4:23 pm

      That is the default/normal response for non-POST requests.. nothing to worry about (but make sure you’re running the latest version of WP).

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
.htaccess made easy: Improve site performance and security.
Excellent (and free) tool to test your site's SSL configuration.
Plugin updates! All of our free and pro plugins ready for WordPress 6.2.
Daylight savings is a complete waste of time and needs to be eliminated.
Got a couple of snow days here in mid-March. Fortunately it's not sticking.
I handle all email in real time as it comes in, perpetually clear inbox for years now.
Added some nice features to Wutsearch search engine launchpad. Now 21 engines!
.wp TLD plz :)
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.