A part of the standard WordPress package, Pingbacks allow remote blogs to notify your site when they have linked to your content. Unfortunately, hackers have found a way to exploit this in order to cause a Distributed Denial of Service (DDOS) attack against other websites and servers. If you're a version of running WordPress older than 3.8.2 , it means that your website could potentially be used in a DDOS attack.
To prevent access to the xmlrpc.php file, the easiest way is to edit your .htaccess. You can do this via the Plesk File Manager or edit locally and FTP the file back to the server. Add the following:
# XMLRPC Pingback DDOS Prevention <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
- This will block all access to the XML-RPC for WordPress as soon as the file is saved.
- Sucuri Blog: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
- Ars Technica: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/
- Akamai Blog: https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html