Add a utility filter to disable pingbacks and trackbacks

[jvelo]

XML RPC pingback and trackbacks of public WP sites are used as a gateway for DDoS attacks (see http://wptavern.com/how-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks). This impacts the WP instance used by attackers, which itself becomes subject to a form of denial of service. We should offer an option to disable them easily, since many sites built with WordPress don't even use that functionality.

The article suggest the following snippet :

add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} ;

[nesk]

Should we disable this feature by default? Is it a priority?

[jvelo]

Yes I think it should be disabled by default and that those who want the functionality enable it back :

• Pingback and trackbacks are used by blogs ; those aren't the primary target of this project and most of the time use packaged templates
• It's a pain in term of ops to keep them (sites become subject to spam requests that you have to filter so that legitimate users aren't affected)
• It's easy enough to bring back for those who needs it (though it should be documented).