Last week, we wrote about a report published by Sucuri that explained how 162,000 clean WordPress sites were used in a DDoS attack through the pingback functionality of XML-RPC. Alex Shiels who works on Akismet mentioned on Twitter the security team was working on a solution.
An update to Akismet is now available containing bug fixes, security, and anti-spam improvements. Notably:
Include X-Pingback-Forwarded-For header in outbound WordPress pingback verifications.
Add a pre-check for pingbacks, to stop spam before an outbound verification request is made.
According to Shiels, anti-spam checks were performed after a pingback was verified and WordPress didn’t pass