edit-icon download-icon

Prevent WordPress Pingback attacks

Last Updated: Mar 20, 2018

This document describes how to prevent WordPress Pingback attacks through the WAF Business and Enterprise editions.

What is a WordPress Pingback attack

WordPress is a blog platform developed using the PHP language, and pingback is a plug-in of WordPress. Hackers can use pingback to initiate WordPress Pingback attacks against the website.

pingback attack

After suffering from the WordPress attack, you can see a lot of requests with User-Agent containing WordPress and pingback on the server log.


As a variant of HTTP flood attack, WordPress Pingback attacks typically have the following symptoms: slow webpage loading, excessive server CPU consumption, response/data loss, and so on.

How to use WAF for defense

Note: The WordPress Pingback attack defense is only supported for the Business and Enterprise editions of WAF.

  1. Log on to the WAF console, and access the Website Configuration page.

  2. Locate the domain name for protection, and then click Policies under its Operation column.

  3. Enable HTTP ACL Policy and click Settings.

  4. Click Add Rule, and add the following access control rules respectively.

    • Block the access containing pingback in User-Agent.

      • Rule name: wp1
      • Matching field: User-Agent
      • Logical operator: Includes
      • Matching content: pingback
      • Action: Block
    • Block the access containing WordPress in User-Agent.

      • Rule name: wp2
      • Matching field: User-Agent
      • Logical operator: Includes
      • Matching content: WordPress
      • Action: Block

    Note: You must add both the rules separately.

Thank you! We've received your feedback.