In this article I will talk about an XML-RPC functionality, pingbacks, and ways to disable them in WordPress.
Pingbacks are evil. Why? Only two words: SPAM and DDoS.
What Are Pingbacks
XML-RPC protocol is used by WordPress as API for third-party applications, such as mobile apps, inter-blog communication and popular plugins like JetPack.
What about pingbacks? They are also using XML-RPC and it’s a method used by your website to notify another website that you have linked to it from your page (not to be confused with ICMP ping which is a network protocol function). This mechanism helps authors to keep track of external references to their articles.

Pingback Exploits
This was the intention when it was first designed, but according to many bloggers’ experience, 99% of pingbacks are spam. Due to the fact that pingbacks are often displayed as normal comments, a spammer will try to create a linkback to his content by sending a pingback notification and steal link juice from the targeted site.
Also, the XML-RPC pingback functionality may be misused to facilitate distributed denial of service attacks (DDoS). This exploit may abuse legitimate blogs and websites making them to unwillingly participate in DDoS attacks against targeted sites.
Pingback DDoS
Pingback DDoS works like this: if a malicious hacker wants to send a DDoS attack to a target system, he sends crafted pingback commands to a big number of innocent pingback enabled WordPress blogs making them believe that the originator is the target system. This way, the blogs will wrongly send a huge stream of replies to the target system suffocating it with bogus traffic.
If you disable pingbacks on your blog, it will not be able to participate in DDoS attacks anymore.
As a matter of fact, you shouldn’t disable XML-RPC entirely, but only a subset of the supported functionality. Otherwise, you may run into issues with some of your plugins, like JetPack, that use XML-RPC for offsite server communication.
Below I present three practical methods that can be used to disable pingbacks in a WordPress blog.
Method 1: Using Onboard Means
The simplest way is to uncheck the option in WordPress settings. Go to Settings->Discussion and uncheck “Allow link notifications from other blogs (pingbacks and trackbacks) on new posts“. Then click on “Save Changes“.

This will only disable pingbacks (and trackbacks) for future posts and pages, but not for the existing ones. To disable also for the existing posts and pages you have to run a couple of SQL queries.
CPanel-based Web Hostings
You can use phpMyAdmin utility for this. Simply go to CPanel, the control panel of your web hosting account, and find phpMyAdmin utility.

Once there you have to locate the database used by your blog and select the SQL tab, then execute this command:
UPDATE wp_posts SET ping_status='closed'
WHERE post_status='publish' AND (post_type='post' OR post_type='page');
This will disable pingbacks and trackbacks for all existing posts and pages.
To find out which database is used by your blog follow these steps:
- Connect to your hosting account with an FTP client, for example, WinSCP;
- Navigate to your site’s root directory, usually public_html;
- Locate and open to view wp-config.php file;
- Within this file locate the string DB_NAME; it should bring you to a declaration like this: define(‘DB_NAME’, ‘pref_wp239’); The second parameter is the name of the database.
Other Web Hostings
There are also hosting companies that use control panels designed specifically for them. In these cases, it is better to consult their specific way of managing databases.
Method 2: Using Plugins
There are many WordPress plugins out there dealing with XML-RPC security issues. Many of them are covering a whole bunch of security aspects, but some of them are specialized exclusively on pingbacks.
One of the simplest of them that does exactly what it says is disable-xml-rpc-pingback. This free plugin disables only the pingback part of XML-RPC API.
Just go to your WordPress admin area to Plugins->Add New and enter “disable xml rpc pingback” in the search box. Then install “Disable XML-RPC Pingback” by Samuel Aguilera. When done, you have to activate it.
With this method, all posts and pages, whether current or future, will be protected.
Method 3: A Little Coding
If you are reluctant to adding yet another plugin to your WordPress blog but you are comfortable with a little coding, you can add a small piece of code in functions.php file. This code does exactly what the plugin above does.
Just go to Appearance->Editor, then choose functions.php and add this code at the end:
// disable pingbacks
add_filter('xmlrpc_methods', function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
// remove x-pingback HTTP header
add_filter('wp_headers', function($headers) {
unset($headers['X-Pingback']);
return $headers;
});
Don’t forget to click on “Update File” when finished.
Needless to say that any changes to theme files will be wiped up upon theme update. Therefore it is best to use a child theme if you plan to make changes.
Conclusion
What about trackbacks? Well, only the “onboard means” method described here covers the trackbacks. The other ones cover only the pingbacks. Maybe some other plugins do. I’ll come back with updates when I’ll stumble upon additional info. Until then, take care of your blog.