Pingback harmful

Although my website uses WordPress I have disabled pingback & trackback completely since the official startup.

One of the reasons see here: „Blogger unter Beschuss – Pingback missbraucht“ (heise, German) and here: Post on sucuri.net

Explanation:

If an author on website A writes an article and mentions a link to website B in this article, a “pingback” is sent from A to B as a notification “I have linked to your article in my website”. Website B will then check, if the link really exists with another request to A and will then record the pingback. WordPress will show such entries as part of the comments.

Exactly this procedure is abused by attackers as they send fake pingback requests to websites running WordPress which will contact the alleged source.

Turn off pingback & trackback in WordPress permanently

The first action should be to turn off the correspondent function in the backend:

WordPress discussion settings

However this only makes sure that new posts and pages will not allow pingback requests by default. Existing posts and pages still may allow pingbacks and have to be changed as well. If this is too laborious in the backend you can also use the following SQL statement:

UPDATE wp_posts SET ping_status='closed'
WHERE post_status = 'publish' AND post_type = 'post';

UPDATE wp_posts SET ping_status='closed'
WHERE post_status = 'publish' AND post_type = 'page';

Important: Changes in the database on your own risk and not without a backup first!

Though WordPress still creates the treasonable “X-Pingback” HTTP header which signals that pingback is generally possible. To get rid of this header as well, you can use the following code, either in functions.php of the active theme or within a custom plugin:

function my_customheaders($headers) {
	if(isset($headers['X-Pingback'])) unset($headers['X-Pingback']);
	return $headers;
}
add_filter('wp_headers', 'my_customheaders');

To verify the HTTP headers sent by your website you can use the add-on “Firebug” in Firefox. Alternatively you may also do the verification using http://web-sniffer.net.

Leave a public comment

Your email address will not be published. If you want to contact me personally, see the imprint.