Pingback – what is it and why is your WP site is at risk

Although it is popular amongst many website owners (mainly for both its ease of use and lack of cost) WordPress has had to field a number of question marks over its security levels during the last couple of years.

First to occur was the TimThumb.php hack. Used within a number of different WordPress themes, the script helped to resize images. However, back in 2011 it emerged that TimThumb had been exploited by hackers in order to assault a number of WordPress sites through use of the remote file inclusion technique.

Within the next couple of years, further attacks on WP sites took place, including those focused on brute force and ‘dictionary’ techniques designed to discover site passwords: the aim, of course, being to obtain administrator level access to the victim pages.

In recent months, another potential opportunity for exploitation has appeared in the form of a Pingback DDoS.


What is pingback? 

A standard feature in WordPress, pingback was originally used simply to acknowledge links between two websites, and at one time was an effective way to improve SEO rankings.  It works like this: if website A posts a blog that links to website B and website B then links back to the post in return, a pingback is automatically sent to website A to alert them of the returning link.  Once website A receives the pingback, it will automatically visit website B to check that the link is legitimate.


How has it been used as part of an attack?

The process is a relatively simply one, making use of the pingback feature in order to flood the victim sites with traffic.  In previous years, WordPress has suffered from a wide variety of attacks, many of them exploiting areas of the CMS that are intrinsic to its operations, and the pingback attack follows the same pattern. This is a legitimate cause for concern in the sense that any computer making use of WordPress (no matter which themes or version they use) could be susceptible. With over 100 million WP sites in the world, the scope for attacks is legitimately huge.

The figures involved in the attacks offer sufficient cause for concern. Incapsula, a web application firewall provided that was responsible for uncovering this threat, noted that during an even in July of this year, over 50,000 bot visits were caused, with over 8,000,000 hits being deflected, some of them attacking at the rate of 1,000 hits per second.  It’s also worth observing that this attack took place on a 3.5.2 WordPress site, showing that (despite the opinions of many) updated software alone often isn’t enough to counter the threat.



It’s vital that any website owners using WordPress takes action to try and increase security.  As well as continually ensuring software (and plugins) are updated regularly and passwords kept strong, it’s wise to get in touch with a company with knowledge of mitigating this kind of threat.  With attacks such as these likely to become more commonplace, it’s also a good idea to make a simple change such as implementing a web application firewall service, in order to ensure that pingback vulnerability is minimised.  This can be done by accessing the control panel and either deleting or editing xmirpc.php within the root directory of the WordPress install.

Ella Mason, an experienced freelance writer, wrote this article. Ella specialises in providing useful and engaging advice to small businesses. Follow her on Twitter @ellatmason