This topic describes how to prevent WordPress pingback attacks by using WAF.
Introduction to WordPress pingback attacks
WordPress is a blog platform that is written in PHP, and a pingback is a plug-in of
WordPress. Attackers can use the pingback to initiate WordPress pingback attacks against
a website.

When WordPress pingback attacks occur, a large number of requests are displayed on
the server log, and the User-Agent fields of these requests contain WordPress and
pingback.

As a variant of HTTP flood attacks, WordPress pingback attacks typically cause the following problems: slow web page loading, high CPU utilization, and no response from servers.
Use WAF to defend against WordPress pingback attacks
- Log on to the WAF console.
- In the left-side navigation pane, choose .
- Click the Access Control/Throttling tab.
- In the Custom Protection Policy section, click Settings.
- Click Custom Protection Policy and add the following two rules.
- Block access requests that contain pingback in User-Agent.
- Rule name: Enter wp1.
- Matching field: Select User-Agent.
- Logical operator: Select Includes.
- Matching content: Enter pingback.
- Action: Select block.
- Block access requests that contain WordPress in User-Agent.
- Rule name: Enter wp2.
- Matching field: Select User-Agent.
- Logical operator: Select Includes.
- Matching content:Enter WordPress.
- Action: Select block.
Note You must add the two rules separately. - Block access requests that contain pingback in User-Agent.