In the XMLRPC module of any Wordpress installation, the pingback feature is enabled. This feature allows an attacker to send request to a vulnerable Wordpress site and use it to attack other websites. In other words, your Wordpress installation could be used in a Distributed Denial-of-Service (DDoS) attack without your knowledge.
For more information about this issue, read this Sucuri blog post:
Wordpress has not released a fix for this problem, but there is a Wordpress plugin that will disable the pingback query (pingback.ping) from the XMLRPC module.
Note: The plugin needs to be installed on each Wordpress installation.
Remove XMLRPC Pingback Ping plugin:
Here are the steps to installing the plugin:
- Login to your Wordpress administrator dashboard login page.
- Once in the Wordpress dashboard, look at the menu on the left and mouse-over the Plugins and click on the "Add New" sub-menu.
- In the search box, type in "XMLRPC Pingback Ping" and search.
- Select the right plugin and click on "Install Now".
- Confirm the installation by clicking on "OK".
- You will then need to activate the plugin by clicking "Activate Plugin" once the installation is finished.
- After the installation and activation of the plugin, you should be able to see it in the Plugins section.