Are your pingback settings leaving you vulnerable?Is your site safe? DDoS (Distributed Denial of Service) attacks on over 160,000 WordPress sites have highlighted the importance of ensuring the security of your site. February 25, 2015
DDoS (Distributed Denial of Service) attacks on over 160,000 WordPress sites have highlighted the importance of ensuring the security of your site.
First things first: the basics.
According to WPBeginner, pingbacks give software the ability to communicate between websites. Ideally, a pingback is used to notify someone when their post has been linked, allowing them to track post activity.
Great idea. However, the software is not without its problems, and can expose your site’s security to risk of a DDoS attack, which can interrupt your site and online connection. When your site is down customers searching for you will be lost and any e-commerce could become vulnerable.
motumb2b web guru, Nolan Knill, summarizes the problem this way: “Pingbacks can wreak havoc on servers. Hackers are able to use the pingbacks to spoof their requests through Wordpress sites to DDoS attack another site.”
There are 193 known security vulnerabilities in Wordpress right now over different versions, so it’s vital to keep the platform as up-to-date as possible, but this could lead to broken plugins, widgets, etc. when updating. Since a lot of Wordpress plugins are made by third-parties, users must either rely on third-party designers (or hope the plugins don’t expose any new vulnerabilities), or stay on an older, unpatched version of Wordpress that’s obsolete.
So what can you do?
In the short term, you should disable the pingback function on your WordPress site by following these steps:
- Go to Settings > Discussion
- Uncheck “Allow link notifications from other blogs (pingbacks and trackbacks).” Note: This will only disable trackbacks and pingbacks for future posts (not existing posts).
- Click the “Save Changes” button.
In the long term, however, our honest recommendation is to switch platforms, for example, to CMS sites using Zend Framework—a secure, established PHP framework. This reduces the risk of exposing our clients and their sites of these common WordPress vulnerabilities.
If you wish to continue with your site, we also have experience with securing client’s existing Wordpress sites, ensuring that we disable pingbacks and other common security vulnerabilities that may exist.