Pingback Spam: WordPress Pingback Protocol Abuse

Definition

Abusive exploitation of WordPress's pingback protocol to generate automatic backlinks and sometimes conduct DDoS attacks.

Pingback Spam hijacks the XML-RPC pingback protocol, a native WordPress feature that automatically notifies a site when another site mentions it with a link. Unlike trackbacks, pingbacks are fully automatic and include verification: WordPress checks that the link actually exists in the source article. Spammers circumvent this verification by creating temporary pages that actually contain a link to the target, triggering a legitimate pingback before modifying or deleting the source page. Beyond SEO spam, the pingback protocol has been massively exploited for amplified DDoS attacks: an attacker sends pingback requests to thousands of WordPress sites that all simultaneously query the target site, overwhelming it with requests. WordPress has progressively tightened security around pingbacks, but the best practice remains to disable them completely. In 2026, the pingback feature is considered obsolete by the WordPress community and many hosts disable it by default.

Pingback spamming Pingback abuse WordPress pingback spam XML-RPC pingback spam

Key Points

Exploits WordPress's native XML-RPC protocol to generate automatic notifications
Unlike trackbacks, pingbacks verify that the source link actually exists
The pingback protocol has been hijacked for amplified DDoS attacks
Disabling XML-RPC is the best protection against pingback spam

Practical Examples

Classic pingback spam

A spammer creates an article with a link to a target blog, triggering an automatic pingback. The target blog displays the pingback as a comment with a return link. The spammer repeats the operation on thousands of blogs.

DDoS attack via pingback

An attacker sends XML-RPC pingback requests to 50,000 WordPress sites, asking them to verify a link on the target site. All 50,000 sites simultaneously query the target site, causing a server overload.

XML-RPC protection

A WordPress administrator completely disables XML-RPC via the .htaccess file (deny from all on xmlrpc.php) or installs the Disable XML-RPC plugin, eliminating the pingback attack vector.

Frequently Asked Questions

How do you disable pingbacks on WordPress?

Three methods: 1) Settings > Discussion > Uncheck 'Allow link notifications from other blogs'. 2) Block xmlrpc.php via .htaccess with 'deny from all'. 3) Install a plugin like Disable XML-RPC or Wordfence that blocks malicious XML-RPC requests.

Do pingbacks have any SEO value?

No. Pingback links are nofollow and provide no direct SEO value. Their only original purpose was to notify cited authors and create a reference network between blogs. In 2026, this feature is obsolete and has been replaced by Webmentions from the IndieWeb standard.

Related Terms

Go Further with LemmiLink

Discover how LemmiLink can help you put these SEO concepts into practice.

Secure your WordPress site against spam Get natural links without exploiting CMS vulnerabilities