Re-enable XML-RPC pingback
A pingback is a special type of comment that is created when you link to another blog post and it is a functionality of the WordPress XML-RPC module.
IMPORTANT: Since the Bitnami WordPress Stack 4.4.2-3, the pingback feature in the XML-RPC module has been disabled.
Other XML-RPC features continue working as before so you can still publish content in your WordPress blog/website from Web clients or smartphone apps.
In order to enable it again, edit the WordPress /opt/bitnami/wordpress/wp-config.php configuration file and remove the last two filters related to XML-RPC and pingback. Specifically these lines:
// remove x-pingback HTTP header
add_filter('wp_headers', function($headers) {
unset($headers['X-pingback']);
return $headers;
});
// disable pingbacks
add_filter( 'xmlrpc_methods', function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
});
Understand why pingback functionality is disabled by default
WordPress implements an interface to use the XML-RPC protocol. This allows features like remote publishing from Web clients, smartphone apps and more. You can find more info in the WordPress Codex XML-RPC Page.
The XML-RPC feature of WordPress is known to be susceptible to two types of attacks:
- A brute force amplification attack on your WordPress installation. Read more about it at this Sucuri blog post about DDoS attacks on WordPress.
- A Distributed Denial of Service (DDoS) attack on other WordPress installations abusing the pingback feature. Read more about it at this Sucuri blog post about DDoS attacks on WordPress.
If most of the entries in your logs come from the same IP address, it’s likely your site is either under a brute force amplification attack or being used to launch a pingback attack towards a different site. If the entries come from different IP addresses, your site is probably the victim of a pingback attack.
Please keep in mind that none of these attacks are related to a security issue, but are the result of abusing pingbacks and the XML-RPC mechanism.
The DDoS attack became more popular after WordPress version 3.5 was released with the pingback feature enabled by default.
Current countermeasures:
- Since Bitnami WordPress Stack 4.4, the brute force amplification attack is no longer exploitable, although a common brute force attack is still possible.
- Since Bitnami WordPress Stack 4.4.2-3, the pingback feature has been disabled. This means a malicious agent won’t be able to use your WordPress to perform DDoS attacks on other instances.
- We also ship the Jetpack plugin, which can help protect a site against Brute Force attacks thanks to the Protect module. You can find more information at Jetpack website. The plugin is inactive by default, you should enable it using the WordPress admin panel.
Even with these actions, you will still be vulnerable to common brute force attacks using the XML-RPC module.
Apart from these, there are at least two more countermeasures you can apply, although each one has their own drawbacks:
- Enable mod_security: The mod_security Apache module supplies an array of request filtering and other security features to the Apache HTTP server.
- Disable XML-RPC: It will avoid both types of attacks but smartphone apps, remote publishing and some plugins won’t work. You can find more information at this blog post about disabling XML-RPC in WordPress.
- Block the offending IP addresses: This should be considered a fragile, short-term solution.