Websites created using the WordPress CMS can be used by attackers to launch DDoS attacks. Uses the Pingback mechanism, which is included in WordPress by default. At the same time, an increased load on the CPU is recorded and in the web server logs you can see requests like “POST /xmlrpc.php HTTP/1.1”.
You can protect your site in the following ways:
1. Connect the plugin. The most reliable way.
Pingback disable plugin
The plugin is a single PHP script with the content:
<?php
add_filter( 'xmlrpc_methods', 'Remove_Pingback_Method' );
function Remove_Pingback_Method( $methods ) {
unset( $methods['pingback.ping'] );
unset( $methods['pingback.extensions.getPingbacks'] );
return $methods;
}
?>
2. Disable Pingback in WordPress settings.
To do this, go to the Options - Discussion menu and uncheck the "Attempt to notify blogs mentioned in the article" and "Allow notifications from other blogs (notifications and backlinks)" checkboxes.
Additionally: Disable WordPress comments (Close, Enable, Delete comments) https://ru.wordpress.org/plugins/comments-plus/