Hackers are using the trackback and pingback function in WordPress for DDoS botnet attacks.Sucuri recently found 162,000 sites being used without the site owner’s knowledge.
The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam. Now there is another real security reason to shut this function down on your site, but there are caveats. Some plugins and third-party applications also use XML-RPC. Read on for the latest and what you can do to protect your site.
 
Check Your Site Right Now
Sucuri Test Tool will tell you if your site has been listed in their logs of IPs that are being used in the DDoS attacks.
If it comes back clean, great! But that only means your site is not listed in their logs. Be sure to take the steps below to keep your site from getting on that list!
Disable XML-RPC
By default, this function is turned on in WordPress. You can turn it off in two ways.
 
1. Input Code
This post by Sucuri has instructions for adding code to the functions.php file of your theme. (The code is about 3/4 down the post.)
The caveats – you have to remember to add the code again if you change themes, or perhaps if your theme is updated (if you’re not using a child theme). And, it disables XML-RPC completely, which may disturb third-party applications that use it. (See below for more on those.)
 
2. Install a Plugin
The nice folks at FooPlugins have created a plugin that removes the pingback function while allowing most all third-party apps to still use the rest of the XML-RPC function that it needs. It’s called the Remove XMLRPC Pingback Ping You’ll find it in the WordPress plugin repository.
(Thank you to my colleague +Kim Dastleberry for her post about the above plugin and to +Ana Hoffman for alerting me to it!)
The caveat – this plugin, and others like it listed below, may cause conflicts with other third-party apps or even other plugins. (See list below.)

NOTES: I have not tested the above plugin, nor any of the plugins listed below.
Be sure that you check your site to ensure that you do not already have any other plugin serving this function!

A few of the other plugins that I found in the repository are:
  • Prevent XMLRPC
  • Disable XML-RPC
  • Disable XML RPC Fully
  • Secure XML-RPC
This is only a partial list. There are several more, as well as other plugins that have a similar block for XML-RPC.
 
Third Party Applications and Plugins that use XML-RPC
There are several popular apps and plugins that make use of some part of the XML-RPC function. They are:
  • WordPress Mobile App
  • JetPack (just some parts of it)
  • LibSyn (for podcasts)
  • BuddyPress (for podcasts)
  • Various photo gallery plugins

NOTE: How disabling the XML-RPC function affects some of the apps and plugins above may depend entirely on how you have them configured and/or which features you are using.

The Remove XMLRPC Pingback Ping from FooPlugins is the only one that I have verified to still allow JetPack and the WordPress Mobile App to function.



You want to stop it before it gets to Apache for processing, so  simply add  the following to  .htaccess -file in the root of WordPress:

 

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

 

?האם התשובה שקיבלתם הייתה מועילה 127 משתמשים שמצאו מאמר זה מועיל (127 הצבעות)