Hi Guys,

If you run WordPress, you may want to help prevent a denial of service (DOS) attack against the server you're hosted on by installing the Disable XML-RPC Pingback Plugin on your WordPress installation. WordPress doesn't seem to want to fix the issue in their base code. This is a security issue. Bogus XML-RPC requests load the WordPress database several times in a short period of time which apparently uses a ton of resources on each initialization. Compound that with 4+ of the same bogus requests within a second, and your server load is off the charts. 4-5 requests per second shouldn't result in a denial of service especially since nginx is supposedly capable of handling 10,000+ simultaneous connections. Don't get too excited yet, it also affects apache2 just the same. I wouldn't hold out much hope though. WordPress doesn't seem interested in fixing this important problem. It affects all versions of WordPress including the latest 4.4.1 release.

Pingbacks in general should be completely disabled by default in my opinion. It's a feature that has obviously not been well thought out or secured against attacks. What WordPress should really do is not process bogus pingback requests in the first place. It looks like the database schema may need optimization. WordPress needs to figure out a way to load the minimal amount of data as quickly as possible from the database to determine whether or not the pingback request being sent is bogus.

I had to post about this here on X-null since my original forum thread has been closed and censored. I'm sure it will probably be deleted soon since I will be banned from WordPress, so just in case, I've saved it here.

If anyone actually cares or just wants some hardly exciting drama, get out the popcorn now. I'm pretty sure I'm gonna get banned because I'm calling out the moderator that locked my thread here.