Remove WordPress X-Pingback header
WordPress Pingbacks/trackbacks is sort of link management, it lets you to know if someone make a linkback or said something about your post on his blog, and the same thing happen when you make a link to someone blog, pingbacks/trackbacks will let that person know you are linking to him. WordPress does that automatic via XML-RPC Pingback.
If you are using WordPress, WordPress will use XMLRPC to pingbacks, trackbacks which may cause your website into serious security problem. Few months ago more than 162000 WordPress Sites are used for (DDOS) Distributed Denial of Service Attack, and leaves millions of Sites Exploitable for DDoS Attacks. I believe most WordPress sites enable Pingback by default, and Pingback can be used as as indirect source amplification
To remove WordPress X-Pingback header
First you will need to login into your WordPress Admin Panel, then “Appearance”, and “Editor”. click on Theme Functions or functions.php file. Add this code to the end of functions.php file.
function remove_x_pingback($headers) { unset($headers['X-Pingback']); return $headers; } add_filter('wp_headers', 'remove_x_pingback');
To prevent Pingback Denial of Service
Add this to .htaccess if you use Apache web server
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
location = /xmlrpc.php { deny all; }
add_filter( ‘xmlrpc_methods’, function( $methods ) { unset( $methods['pingback.ping'] ); return $methods; } );
To stop WordPress to notify pingback to other website and receive trackback from other websites. Go to WordPress Admin Panel, then “Settings”, and “Discussion”, Uncheck
- Allow link notifications from other blogs (pingbacks and trackbacks)
- Attempt to notify any blogs linked to from the article
