17 Jul
2014
17 Jul
'14
9:44 p.m.
** Ian <ian(a)lovingboth.com> [2014-07-17 19:23]:
Paul Tansom said:
** end quote [Ian]
Yes, that's the plugin I'm trying to install. I've clearly been lax, but I
thought pingbacks were disabled by default, I've certainly never had any,
although from what I've read the option has been removed from the configuration
and it has been enabled by default. At the moment I'm blocking xmlrpc.php from
the .htaccess, but each time I enable Apache again the load goes from around
0.09 through to 30, 40 or 50 within a minute or so. It is very difficult to
test and diagnose if you can't get any response from the server because of the
load :( I'm just putting something together with fail2ban, then with any luck I
can put the plugin in place and experiment.
--
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
Is anyone else suffering from this pingback ddos
at the moment? My server is
only a low spec one and keeps being brought to its knees by it. Now I've had
the time to actually look at the logs and work out what is happening I'm in the
process of putting some form of protection in there, although the quick fixes
seem to impact functionality. I was just wondering what anyone else had done,
assuming others have been impacted too. Not having read in full detail yet, I'm
wondering why this is just a Wordpress issue. Wouldn't you be able to do the
same thing with any blog or cms that uses pingback?
I haven't seen this, but that's because I turn off pingbacks on all WP
sites. There's a plugin to do it on sites that have had them,
<https://wordpress.org/plugins/disable-xml-rpc-pingback/>, without
totally disabling xml-rpc in case you need it for something else.
If you can't install plugins for some reason, but can access the
database, there's a couple of lines of SQL to turn it off on all
existing pages and posts.
You won't be missing out on anything, because the overwhelming majority
of pingbacks have been 'not good' for years. Turning them off is a part
of setting up a WP site...
There are more WordPress sites, so they get targeted first. The people
developing WP also think that because people like getting comments, they
should leave a new site completely vulnerable to spam comments and
pingbacks and until one issue was fixed, allowed attackers to do things
like probe your server with them.