Disable wordpress pingback/trackback server-wide

Share Button

It’s possible to get WordPress to help you with a reflective DDoS attack using the pingback feature. For additional info, see https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/

In any case, here’s a quick perl script to disable it for all wordpress sites on a server (assuming they haven’t been hacked to re-name the default wp-config.php file).  You’ll need to put your mysql root password into it (so delete it after using).  If you use the Plesk control panel, a second version is further down which will not require the password being stored in the file.

#!/usr/bin/perl

use strict;

print "Running 'udpatedb' to refresh file name cache; this may take a while.\n";
system("updatedb");
print "Complete.\n\n";

my @configfiles = `locate -r 'wp-config.php\$'|sort|uniq`;
my $dbName;
my $dbPrefix;
my $debug = '0';

chomp @configfiles;

foreach my $file (@configfiles) {

 if ($debug) { print "Opening $file\n"; }

 # set if db name and prefix are found
 my $dbFound = '0';
 my $prefixFound = '0';

 # read config file
 open(FP,"$file");
 my @config = <FP>;
 close(FP);

 # parse config looking for database name & prefix
 foreach my $line (@config) {
  chomp $line;

  if ( $line =~ /^define\('DB_NAME'.*'(.*)'\);/ ) {
   $dbName = $1;
   $dbFound = '1';
   if ($debug) { print "Found DB_NAME $dbName in $file\n"; }
  }
  if ($line =~ /^\$table_prefix.+'(.*)';/) {
   $dbPrefix = $1;
   $prefixFound = '1';
   if ($debug) { print "Found table_prefix $dbPrefix in $file\n"; }
  }
 }

 if ($dbFound && $prefixFound) {
  print "Database $dbName with prefix $dbPrefix...";
 } else {
  print "DB name & prefix not found in $file\n";
 }

 if ($dbFound && $prefixFound) {
  system("mysql -u root --password='MYROOTPASSWORD' -e \"UPDATE ${dbPrefix}options SET option_value = 'closed' WHERE option_name = 'default_ping_status';\" $dbName");
  system("mysql -u root --password='MYROOTPASSWORD' -e \"UPDATE ${dbPrefix}posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';\" $dbName");
  system("mysql -u root --password='MYROOTPASSWORD' -e \"UPDATE ${dbPrefix}posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';\" $dbName");

  print " updated if no errors were printed.\n";
 }
}

Here’s the version for Plesk:

#!/usr/bin/perl

use strict;

print "Running 'udpatedb' to refresh file name cache; this may take a while.\n";
system("updatedb");
print "Complete.\n\n";

my @configfiles = `locate -r 'wp-config.php\$'|sort|uniq`;
my $dbName;
my $dbPrefix;
my $debug = '0';

chomp @configfiles;

foreach my $file (@configfiles) {

 if ($debug) { print "Opening $file\n"; }

 # set if db name and prefix are found
 my $dbFound = '0';
 my $prefixFound = '0';

 # read config file
 open(FP,"$file");
 my @config = <FP>;
 close(FP);

 # parse config looking for database name & prefix
 foreach my $line (@config) {
  chomp $line;

  if ( $line =~ /^define\('DB_NAME'.*'(.*)'\);/ ) {
   $dbName = $1;
   $dbFound = '1';
   if ($debug) { print "Found DB_NAME $dbName in $file\n"; }
  }
  if ($line =~ /^\$table_prefix.+'(.*)';/) {
   $dbPrefix = $1;
   $prefixFound = '1';
   if ($debug) { print "Found table_prefix $dbPrefix in $file\n"; }
  }
 }

 if ($dbFound && $prefixFound) {
  print "Database $dbName with prefix $dbPrefix...";
 } else {
  print "DB name & prefix not found in $file\n";
 }

 if ($dbFound && $prefixFound) {
  system("mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \"UPDATE ${dbPrefix}options SET option_value = 'closed' WHERE option_name = 'default_ping_status';\" $dbName");
  system("mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \"UPDATE ${dbPrefix}posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';\" $dbName");
  system("mysql -u admin --password=`cat /etc/psa/.psa.shadow` -e \"UPDATE ${dbPrefix}posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';\" $dbName");

  print " updated if no errors were printed.\n";
 }
}
Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *