How to Deal with the WordPress Security Warning: “Pingback Vulnerability & Temporary Fix"
The WordPress pingback vulnerability is a security issue that could affect any WordPress website where pingbacks and trackbacks are used to notify the site owner of links back to their posts. This vulnerability causes the site to be at risk of a denial-of-service attack (DDoS). Currently, all WordPress versions are vulnerable including version 3.5. The issue has been reported to WordPress and there should be a permanent fix to the problem but in the meantime blog owners can work around the problem in the following way:
- Open your WordPress dashboard and click on “Settings” followed by “Discussion.”
- Uncheck the “Allow link notifications from other blogs” setting.
- Create a backup of your database and then run a MySQL query.
- Login to PhpMyAdmin and locate the WordPress database.
- Click the SQL tab
- Perform the following query:
Click the “Save Settings” button. This disables the trackback features for future posts, but not for those that have already been posted with the notification feature “checked.”
Disable the trackbacks from your older posts from your hosting account cPanel dashboard.
UPDATE wp_posts SET ping_status=’closed’ WHERE post_status = ‘publish’ AND post_type = ‘post’;
UPDATE wp_posts SET ping_status=’closed’ WHERE post_status = ‘publish’ AND post_type = ‘page’;
Make sure you change all of the ping status commands to closed.
When you finish rename the WordPress xmlrps.php file. Open your cPanel and your File Manager. Look for your WordPress installation and find a file called “xmlrpc.php.” Right click the file and rename it.
Bottom Line
The pingback security bug can be used by a malicious hacker to guess hosts inside the network, the target, port scan hosts and reconfigure internal routers, or can simply be used to launch a malicious DDoS attack. This is a type of DOS attack where the system is infected with a Trojan causing a Denial of Service attack for the WordPress system and any other system attached to it. In WordPress this infiltration is currently coming from the Ping Back feature, so turning the feature off temporarily and removing any PingBack information on existing posts can eliminate the issue until WordPress finds a permanent fix to the problem.