Avoid WordPress being used as a reflection amplification attack

Before I wrote an article,Use fail2ban Bind9 be used to prevent DNS amplification attacks,Never imagined,original WordPress It can also be used for amplification attacks,The principle is its Pingback mechanism。

Pingback is a tool for mutual notification between WordPress websites,For example, A blog refers to a link to a B blog post,Then WordPress can automatically help you notify B blog,Tell the blogger that you quoted his article。

This was originally a very good feature,But one thing-Wordpress has not done a security check for this Pingback。Wordpress will detect whether the source station is valid when it receives Pingback-this needs to communicate with the source station,But it does not detect whether the ip sent from pingback and pingback are the same ...

That is,Send tens of thousands of pingbacks containing the IP of another website to 100 WordPress,Then it can be amplified to 1 million TCP connections to that website by reflection!

This is not DDoS What 0.0

So,Still close it ...

Turn off Pingback and Trackback

Close WordPress pingback

Close WordPress pingback

Since this is closed,So if you do n’t need XML RPC for WordPress,Close it together。This RPC is used to call WordPress remotely for users,For example, a client ... If you use it,Never mind。

Close WordPress XML-RPC service

This service was actually vulnerable in the early days,Later until now,Actually XML-RPC Service vulnerabilities have already been fixed (surprisingly Pingback The loopholes have remained-for so many years ...)

In your theme's functions.php,Add the following statement to close:

Prohibit access to xmlrpc.php

If you use Nginx service,Then add in your nginx site configuration

This completely prohibits external access to this file。


If it were not for someone to come to your door and say that my blog was used to reflect amplification attacks against other websites,I really do n’t know that the security vulnerability of WordPress four or five years ago has not been fixed until now ... To be honest, this function is quite easy to use,Because of it,I caught a few guys who carelessly stole my article and pretended to be original ... 😂

Some friends also said,Disable this feature without patching this vulnerability,It ’s like a doctor treating a patient by killing a patient ... that ’s right,But considering that every WordPress update and upgrade may overwrite this file (and not necessarily fix this vulnerability),And usually I don't use this function,Just close it。

Reference links

Original article written by Gerber drop-off:R0uter's Blog » Avoid WordPress being used as a reflection amplification attack

Reproduced Please keep the source and description link:https://www.logcg.com/archives/3351.html

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


  1. Hi, original author here. I am sorry I do not understand Chinese ; however of what I understand you are advising turning off the WordPress trackback mechanism altogether ?

    This is not such a good idea in general, it seems to me like a doctor shooting the pacient to treat him. Instead of taking radical measures, there is a simple fix discussed in the article : simply check that the caller of xmlrpc uses the same IP as the website reported for trackback. This sterilizes the discussed avenue for amplification.

Leave a Reply

Your email address will not be published. Required fields are marked *