Stop XMLRPC.php Pingback Ping

If you are looking for a plugin that does this, take a look at Eazy Disable XMLRPC Pingback

Distributed Denial Of Service (DDOS) attacks are probably the most popular way to take a website offline. In a nutshell, the attacker uses multiple machines to flood a single website with requests, which overloads the server and takes the server and the website offline.

WordPress security experts Sucuri documented a case in 2014 where over 162,000 WordPress websites were used for a DDOS attack. Most of the site owners had no idea that their site was being used maliciously, becuase it involved no real hack of thier site, just core WordPress functionality of the xmlrpc.php’s The problem is in the built in feature that allow blogs to be automatically notified when their content is linked around the internet. An attacker could use these as open relays to flood a website with pingbacks that could take the attacked site offline.

The pingback can provide value for your site, so filtering it out might not be the best solution in all cases, but if it fits your criteria, throw the following filter and function into a plugin.

add_filter( 'xmlrpc_methods', 'disable_xmlrpc_pingback' );
function disable_xmlrpc_pingback( $methods ) {
   unset( $methods[''] );
   return $methods;

Leave a Reply

Your email address will not be published. Required fields are marked *