WordPress pingback scanner
Description
WordPress includes an XML-RPC pingback feature that allows websites to notify each other when content is linked. This functionality can be exploited to perform Server-Side Request Forgery (SSRF) attacks, enabling attackers to use the WordPress server as a proxy to scan internal network hosts and ports that would otherwise be inaccessible from the internet. By sending specially crafted XML-RPC requests to the xmlrpc.php endpoint, an attacker can enumerate internal network topology and identify active services running on internal systems.
Remediation
Implement one or more of the following mitigation strategies:
1. Disable XML-RPC entirely if pingback functionality is not required by adding the following code to your theme's functions.php file or a custom plugin:
add_filter('xmlrpc_enabled', '__return_false');2. Block XML-RPC at the web server level by adding a rule to deny access to xmlrpc.php. For Apache, add to .htaccess:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
For Nginx, add to your server configuration:
location = /xmlrpc.php {
deny all;
}3. Install a security plugin that can disable XML-RPC pingback functionality while preserving other features if needed.
4. Update WordPress to the latest version and ensure all security patches are applied.
After implementing these changes, verify that xmlrpc.php is no longer accessible by attempting to access it directly in a web browser.