How to Neutralise a Pingback DDOS Attack
The WordPress Pingback Vulnerability is used to maliciously attack your WordPress site via the Pingback service.
If the attack is heavy enough then not only will your site be seriously slowed if not inaccessible) but your server will also be overloaded with requests thus risking your shared hosting account altogether.
This type of attack is usually instigated via a botnet of many hundreds (if not thousands) of different IP addresses so a simply blocking the IP address of the attacker is not practical.
If you are under attack right now then there are actions you can take to minimise (if not nullify) the effect of attack.
Disable the WordPress XMLRPC Service
We can do this by adding a “deny” to “xmlrpc.php” in your .htaccess file. This will disable the your WordPress site from participating with the pingback requests.
Add the following to the top of your .htaccess file:
<files xmlrpc.php> order deny, allow deny from all </files>
The attack will now have less effect on your server load.
Once the attack is over, you may remove deny code if you need XMLRPC services active on your WordPress site. There’s a 95% chance you can leave it there with no noticeable effect at all.
Blocking the DDOS Attack using CSF
If you use CSF, you may still want to block the IP addresses of the attacking botnet. It’s quite easy to do.
Here is a bash one-liner that will do the job for you in real-time:
tail -f /var/www/vhosts/yourdomain.com/logs/access_log | grep "\"WordPress/" | grep -v "POST " | awk '{print $1}' | while read IP; do /usr/sbin/csf -td $IP 7d BlockPingback; done
There is some satisfaction in having the IPs permanently blocked. You can add the resulting IP block to your deny files on all servers and accounts.
It does make sense as all the attacking WordPress sites are clearly compromised and will no longer be a problem (for you at least) if permanently blocked from your server.