Earlier this year, more than 162,000 unsuspecting legitimate WordPress websites were used for DDoS attacks within a few hours.
Attackers abused the WordPress pingback feature allowing websites to cross-reference blog posts. By sending hundreds of spoofed requests per second to the /xmlrpc.php file making these requests appear to come from the target site, the attacker tricks the website’s servers into flooding the target with more traffic than it can handle.
XML-RPC (XML remote procedure call) is a protocol by WordPress and other web applications used to provide services such as pingbacks, trackbacks, and remote access to some users.
To stop your WordPress website from being misused, you will need to disable the XML-RPC (pingback) functionality on your site. Find out how »
Note: Jetpack and other plugins use XML-RPC to authenticate with WordPress.com and to communicate with the Jetpack powered site. Disabling XML-RPC may affect the ability to use any of the WordPress mobile apps to communicate with your site.