Disable Pingbacks and Trackbacks turns off the legacy WordPress pingback system. Pingbacks are rarely useful and frequently abused: a single attacker can use thousands of WordPress sites as unwitting amplifiers for a DDoS attack against another site.

What this feature does

Pingbacks let one WordPress site automatically notify another when it links to it. The receiving site verifies the link and (optionally) shows the pingback as a comment. The system was built when blogs were sparse and conversation across sites was novel; today it’s mostly a vector for spam and DDoS amplification.

This setting closes pingbacks comprehensively:

  • Sets the default ping status on new posts to closed.
  • Removes pingback methods from XML-RPC, so attackers can’t trigger them.
  • Strips the X-Pingback response header so other sites stop discovering yours as a pingback target.
  • Stops your site from sending pingbacks to other sites for internal links.
Why this matters for DDoS

Attackers can use the pingback.ping XML-RPC method to make a WordPress site fetch any URL. Multiplied across thousands of innocent WordPress sites, this becomes an amplification attack against the target URL. Closing pingbacks removes your site from this attack pool.

How to enable it

  1. Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
  2. Toggle Disable pingbacks on. Save settings.
  3. Verify. Test with curl -I https://yoursite.com/. The response should no longer include an X-Pingback header. New posts should default to ping status closed under Discussion options.

Settings reference

Setting What it does Default
Disable pingbacks Sets default ping status to closed, removes pingback XML-RPC methods, strips X-Pingback header, blocks self-pingbacks. Off

What happens behind the scenes

Hooks and options

AdminEase applies several changes when this is on:

  • Sets the WordPress options default_ping_status to closed and default_pingback_flag to 0 on every init.
  • Filters xmlrpc_methods to remove pingback.ping and pingback.extensions.getPingbacks.
  • Filters wp_headers to remove the X-Pingback response header.
  • Hooks pre_ping to strip internal links matching the site’s home URL, preventing self-pingbacks when you link from one of your posts to another.

Because the changes happen at the WordPress hook level, they apply identically on Apache and Nginx hosts.

Note on existing posts

Setting the default to closed only affects new posts. Existing posts keep whichever ping status they had when they were saved. To close pings on existing posts in bulk:

  1. Go to Posts › All Posts. Select all posts on the page, choose Edit from the bulk actions dropdown, and click Apply.
  2. Set Pings to “Do not allow”. In the bulk-edit form, change the Pings field to Do not allow and click Update.
  3. Repeat across pages. Bulk edit only acts on the current page of results. For very large sites, use WP-CLI: wp post list --post_status=publish --format=ids | xargs wp post update --ping_status=closed.

Troubleshooting

I’m still receiving pingback comments

Pingbacks already in the database aren’t deleted, only future incoming ones are blocked. Approve, mark as spam, or trash any existing entries from Comments like normal.

The X-Pingback header is still being sent

A caching plugin or CDN may be caching old responses. Clear the cache. Also check that no other plugin is re-adding the header after AdminEase removes it.

I want pingbacks for a specific post

This setting prevents incoming pingbacks at the WordPress level. To allow them for a specific post while keeping the rest of the site closed, you’d need to disable this feature entirely; the protection is global by design.

What about trackbacks?

Trackbacks use the same WordPress option (default_ping_status) and are equally affected. Closing pings closes both.