Installing a plug in for WordPress XML-RPC ping back

In the XMLRPC module of any WordPress installation, the pingback feature is enabled. This feature allows an attacker to send request to a vulnerable WordPress site and use it to attack other websites. In other words, your WordPress installation could be used in a Distributed Denial-of-Service (DDoS) attack without your knowledge.

For more information about this issue, read this Sucuri blog post:
http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

The Fix

WordPress has not released a fix for this problem, but there is a WordPress plugin that will disable the pingback query (pingback.ping) from the XMLRPC module.

Note: The plugin needs to be installed on each WordPress installation.

Remove XMLRPC Pingback Ping plugin:
http://wordpress.org/plugins/remove-xmlrpc-pingback-ping/

Here are the steps to installing the plugin:

1. Login to your WordPress administrator dashboard login page.
2. Once in the WordPress dashboard, look at the menu on the left and mouse-over the Plugins and click on the “Add New” sub-menu.
3. In the search box, type in “XMLRPC Pingback Ping” and search.
4. Select the right plugin and click on “Install Now“.
5. Confirm the installation by clicking on “OK“.
6. You will then need to activate the plugin by clicking “Activate Plugin” once the installation is finished.
7. After the installation and activation of the plugin, you should be able to see it in the Plugins section.

References

• http://wptavern.com/how-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks
• http://www.incapsula.com/blog/wordpress-security-alert-pingback-ddos.html
• http://en.wikipedia.org/wiki/Pingback
• http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
• http://codex.wordpress.org/Introduction_to_Blogging#Pingbacks