Is There a Way to Completely Turn Off Pingbacks/Trackbacks?

2 comments

1. <?php
   /*
   Plugin Name: [RPC] XMLRPCless Blog
   Plugin URI: http://earnestodev.com/
   Description: Disable XMLRPC advertising/functionality blog-wide.
   Version: 0.0.7
   Author: EarnestoDev
   Author URI: http://earnestodev.com/
   */
   // Disable X-Pingback HTTP Header.
   add_filter('wp_headers', function($headers, $wp_query){
       if(isset($headers['X-Pingback'])){
           // Drop X-Pingback
           unset($headers['X-Pingback']);
       }
       return $headers;
   }, 11, 2);
   // Disable XMLRPC by hijacking and blocking the option.
   add_filter('pre_option_enable_xmlrpc', function($state){
       return '0'; // return $state; // To leave XMLRPC intact and drop just Pingback
   });
   // Remove rsd_link from filters (<link rel="EditURI" />).
   add_action('wp', function(){
       remove_action('wp_head', 'rsd_link');
   }, 9);
   // Hijack pingback_url for get_bloginfo (<link rel="pingback" />).
   add_filter('bloginfo_url', function($output, $property){
       return ($property == 'pingback_url') ? null : $output;
   }, 11, 2);
   // Just disable pingback.ping functionality while leaving XMLRPC intact?
   add_action('xmlrpc_call', function($method){
       if($method != 'pingback.ping') return;
       wp_die(
           'Pingback functionality is disabled on this Blog.',
           'Pingback Disabled!',
           array('response' => 403)
       );
   });
   ?>
   

   Use this for a plugin in /wp-content/plugins or /wp-content/mu-plugins (for auto-activation). Or functions.php.

   Funny thing is I sell a WordPress Remote Publishing Library and gave you the code to disable XMLRPC 🙂 Bad for reputation.

   Log in to Reply

2. @EarnestoDev had a great answer, but it’s a little outdated now since recent xml-rcp exploits.

   I’ve made an updated version that I think blocks all possible access to it. Take note though that there are a few plugins out there that utilize the XML-RPC pingback/trackback functionality and could have issues if you are using them:

   • WordPress Mobile App
   • JetPack LibSyn (for podcasts)
   • Some parts of BuddyPress
   • Windows Live Writer
   • IFTTT
   • A few gallery plugins

   ---

   Here’s an updated version below. To download it you can copy it into a plugin file, drop in in mu-plugins or download it on github:

   <?php
   /*
   Plugin Name:        BYE BYE Pingback
   Plugin URI:         https://github.com/Wordpress-Development/bye-bye-pingback/
   Description:        Banishment of wordpress pingback
   Version:            1.0.0
   Author:             bryanwillis
   Author URI:         https://github.com/bryanwillis/
   */
   
   // If this file is called directly, abort.
   if ( ! defined( 'WPINC' ) ) {
       die;
   }
   
   /**
    * Htaccess directive block xmlrcp for extra security.
    * Here are some rewrite examples:
    *   404 - RewriteRule xmlrpc.php$ - [R=404,L]
    *   301 - RewriteRule ^xmlrpc.php$ index.php [R=301]
    * If you want custom 404 make sure your server is finding it by also adding this 'ErrorDocument 404 /index.php?error=404' or 'ErrorDocument 404 /wordpress/index.php?error=404' for sites in subdirectory.
    */ 
   add_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules'); // should we put this inside wp_loaded or activation hook
   function noxmlrpc_mod_rewrite_rules($rules) {
     $insert = "RewriteRule xmlrpc.php$ - [F,L]";
     $rules = preg_replace('!RewriteRule!', "$insertnnRewriteRule", $rules, 1);
     return $rules;
   }
   
   register_activation_hook(__FILE__, 'noxmlrpc_htaccess_activate');
   function noxmlrpc_htaccess_activate() {
     flush_rewrite_rules(true);
   }
   
   register_deactivation_hook(__FILE__, 'noxmlrpc_htaccess_deactivate');
   function noxmlrpc_htaccess_deactivate() {
     remove_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules');
     flush_rewrite_rules(true);
   }
   
   
   // Remove rsd_link from filters- link rel="EditURI"
   add_action('wp', function(){
       remove_action('wp_head', 'rsd_link');
   }, 9);
   
   
   // Remove pingback from head (link rel="pingback")
   if (!is_admin()) {      
       function link_rel_buffer_callback($buffer) {
           $buffer = preg_replace('/(<link.*?rel=("|')pingback("|').*?href=("|')(.*?)("|')(.*?)?/?>|<link.*?href=("|')(.*?)("|').*?rel=("|')pingback("|')(.*?)?/?>)/i', '', $buffer);
                   return $buffer;
       }
       function link_rel_buffer_start() {
           ob_start("link_rel_buffer_callback");
       }
       function link_rel_buffer_end() {
           ob_flush();
       }
       add_action('template_redirect', 'link_rel_buffer_start', -1);
       add_action('get_header', 'link_rel_buffer_start');
       add_action('wp_head', 'link_rel_buffer_end', 999);
   }
   
   
   // Return pingback_url empty (<link rel="pingback" href>).
   add_filter('bloginfo_url', function($output, $property){
       return ($property == 'pingback_url') ? null : $output;
   }, 11, 2);
   
   
   // Disable xmlrcp/pingback
   add_filter( 'xmlrpc_enabled', '__return_false' );
   add_filter( 'pre_update_option_enable_xmlrpc', '__return_false' );
   add_filter( 'pre_option_enable_xmlrpc', '__return_zero' );
   
   // Disable trackbacks
   add_filter( 'rewrite_rules_array', function( $rules ) {
       foreach( $rules as $rule => $rewrite ) {
           if( preg_match( '/trackback/?$$/i', $rule ) ) {
               unset( $rules[$rule] );
           }
       }
       return $rules;
   });
   
   
   // Disable X-Pingback HTTP Header.
   add_filter('wp_headers', function($headers, $wp_query){
       if(isset($headers['X-Pingback'])){
           unset($headers['X-Pingback']);
       }
       return $headers;
   }, 11, 2);
   
   
   add_filter( 'xmlrpc_methods', function($methods){
       unset( $methods['pingback.ping'] );
       unset( $methods['pingback.extensions.getPingbacks'] );
       unset( $methods['wp.getUsersBlogs'] ); // Block brute force discovery of existing users
       unset( $methods['system.multicall'] );
       unset( $methods['system.listMethods'] );
       unset( $methods['system.getCapabilities'] );
       return $methods;
   });
   
   
   // Just disable pingback.ping functionality while leaving XMLRPC intact?
   add_action('xmlrpc_call', function($method){
       if($method != 'pingback.ping') return;
       wp_die(
           'This site does not have pingback.',
           'Pingback not Enabled!',
           array('response' => 403)
       );
   });
   

   ---

   Also, if you want to close all existing pingback follow these steps:

   1) Open phpmyadmin and navigate to SQL section:

   

   2) Enter the following:

   UPDATE wp_posts SET ping_status="closed";
   

   3) All existing pingbacks should now be closed

   Log in to Reply