Pingbacks are a legacy WordPress feature that notifies another site when you link to its content. The notification travels through xmlrpc.php using a method called pingback.ping. It was useful in the early blogging era. Today it is mostly a liability.
Attackers abuse pingback.ping to turn your site into an unwilling participant in DDoS campaigns. They send forged pingback requests to thousands of WordPress sites, each one pointing at a single target URL. Every site then fires a request at that target. The result is a distributed denial-of-service attack assembled from sites that never agreed to take part. Yours could be one of them.
There are two layers to shut this down: the WordPress setting that controls outbound and inbound pingback behavior, and the WP Ghost toggle that closes the underlying endpoint entirely.
Block Pingbacks in WordPress Settings
WordPress has a built-in checkbox that governs link notifications. It does not remove the attack surface, but it stops the visible pingback exchange.
- Go to Settings > Discussion in your WordPress dashboard.
- Uncheck Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
- Uncheck Attempt to notify any blogs linked to from the article if you do not want your site sending pingbacks either.
- Save changes.
This setting applies to new posts. Existing posts keep their previous configuration, which you can adjust per post under the Discussion panel in the editor.
The limitation: this controls the feature, not the door. The xmlrpc.php file still responds, and the pingback.ping method is still reachable by anything that calls it directly. To remove the method entirely, close the endpoint with WP Ghost.
Block Pingbacks with WP Ghost
WP Ghost removes the pingback.ping method by returning a 404 for the xmlrpc.php endpoint. Since pingbacks run on XML-RPC, disabling XML-RPC takes your site out of the pingback ecosystem completely.
- Go to WP Ghost > Change Paths > Level of Security and set Safe Mode or Ghost Mode. One of these levels has to be active for the next toggle to apply. Save.
- Go to WP Ghost > Change Paths > API Security.
- Switch on Disable XML-RPC Access.
- Save.
That single toggle returns a 404 for /xmlrpc.php. The pingback.ping method is gone, so your site can no longer be weaponized in pingback DDoS amplification. As a bonus, the same change blocks brute force amplification through system.multicall and removes one of the fingerprints scanners use to confirm a site runs WordPress.
WP Ghost does not move, rename, or delete xmlrpc.php. It blocks access through server rewrite rules, so deactivating the plugin restores the default behavior instantly.
Verify It Worked
Open a private browser window and visit yourdomain.com/xmlrpc.php. A 404 response means the endpoint is closed and the pingback method is unreachable. The previous default response, “XML-RPC server accepts POST requests only,” should no longer appear.
For a full check, run WP Ghost > Security Check and confirm XML-RPC is reported as blocked.
Does Disabling XML-RPC Break Anything?
For most sites, no. The block editor, plugin and theme updates, the current WordPress mobile app, and WooCommerce all run on the REST API, not XML-RPC. The main exception is Jetpack, which still uses XML-RPC for some features. If you run Jetpack, whitelist its IP ranges in .htaccess rather than leaving the endpoint open to everyone.
The Short Version
Use Settings > Discussion to switch off the pingback feature, then use WP Ghost > Change Paths > API Security > Disable XML-RPC Access to close the endpoint that makes pingback abuse possible. The setting changes behavior; WP Ghost removes the attack surface.