Remove WordPress X-Pingback header


WordPress Pingbacks/trackbacks is sort of link management, it lets you to know if someone make a linkback or said something about your post on his blog, and the same thing happen when you make a link to someone blog, pingbacks/trackbacks will let that person know you are linking to him. WordPress does that automatic via XML-RPC Pingback.

wordpress nam huy linux blogIf you are using WordPress, WordPress will use XMLRPC to pingbacks, trackbacks which may cause your website into serious security problem. Few months ago more than 162000 WordPress Sites are used for (DDOS) Distributed Denial of Service Attack, and leaves millions of Sites Exploitable for DDoS Attacks. I believe most WordPress sites enable Pingback by default, and Pingback can be used as as indirect source amplification

To remove WordPress X-Pingback header

First you will need to login into your WordPress Admin Panel, then “Appearance”, and “Editor”. click on Theme Functions or functions.php file. Add this code to the end of functions.php file.

function remove_x_pingback($headers) {


    return $headers;


add_filter('wp_headers', 'remove_x_pingback');

To prevent Pingback Denial of Service

Add this to .htaccess if you use Apache web server

<Files xmlrpc.php>

Order Deny,Allow

Deny from all

Add this to your website nginx.conf file if you use Nginx as web server
location = /xmlrpc.php { deny all; }
Finally add these lines to your current WordPress theme’s functions.php file
add_filter(xmlrpc_methods’, function( $methods ) {

unset( $methods[''] );

return $methods;

} );

To stop WordPress to notify pingback to other website and receive trackback from other websites. Go to WordPress Admin Panel, then “Settings”, and “Discussion”, Uncheck

  • Allow link notifications from other blogs (pingbacks and trackbacks)
  • Attempt to notify any blogs linked to from the article
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments