RevealTheme logo
Back to Blog

WordPress Pings And Trackbacks: Why To Disable Them

WordPress Pings And Trackbacks: Why To Disable Them
The RevealTheme Team

By

··5 min read

WordPress includes pingback and trackback features that let sites notify each other when one site links to another. The intent was decentralized cross-site discussion: a post links to another post, the linked post automatically receives a notification, the notification appears as a comment.

The mechanism made sense in 2008. By 2026 it's mostly a spam vector with minimal legitimate use. Disabling pings and trackbacks reduces spam handling overhead and eliminates an attack surface without losing meaningful functionality.

How pingbacks work

Site A publishes a post with a link to a post on Site B. Site A's WordPress installation sends an XML-RPC request to Site B notifying it of the link.

Site B's WordPress installation verifies the link exists (visits Site A's URL to confirm the link is real) and adds a record of the pingback to the comment moderation queue.

If the pingback is approved, it appears as a comment on the linked post, showing the URL of the linking post.

How trackbacks work

Trackbacks are similar to pingbacks but more manual. Site A's post owner explicitly sends a trackback to Site B by entering Site B's trackback URL in their post. Site B receives the trackback and queues it for moderation.

Trackbacks predate pingbacks; pingbacks were designed to automate what trackbacks did manually.

Why both are problematic in 2026

Spam volume. Automated tools send fake pingbacks and trackbacks at scale. The spam is hard to distinguish from legitimate notifications.

Attack vector. The XML-RPC endpoint used for pingbacks has been used in DDoS attacks (pingback amplification attacks) where attackers use many WordPress sites to amplify traffic at a target.

Low legitimate value. The decentralized cross-site discussion that pings were meant to enable mostly happens elsewhere now (social media, dedicated discussion platforms). The remaining legitimate pings are a tiny fraction of total ping traffic.

Moderation overhead. Even with spam filtering, pings require moderation attention that's better spent elsewhere.

What disabling them does

Stops sending pingbacks from your site when you link to other sites. Your site stops notifying other sites.

Stops accepting pingbacks to your site. Your site stops receiving notifications from other sites.

Stops the XML-RPC endpoint from accepting pingback requests (mitigation of the attack vector).

Reduces comment moderation overhead.

What you don't lose

Real cross-site discussion. The discussion that matters happens on social media, email, and direct communication. The automated pings weren't producing meaningful discussion in 2026.

SEO benefits. Pingbacks don't affect SEO directly. The link from another site to yours provides SEO value regardless of whether a ping is sent.

Legitimate notifications. The fraction of pings that were legitimate is small enough that the loss isn't meaningful.

How to disable them

Disable for new posts: Settings > Discussion > "Attempt to notify any blogs linked to from the article" (uncheck). And "Allow link notifications from other blogs (pingbacks and trackbacks) on new articles" (uncheck).

For existing posts: the settings only affect new posts. For existing posts with pings enabled, bulk-edit them to disable. Or use WP-CLI:

wp post list --post_type=post --field=ID | xargs -n 1 wp post update --ping_status=closed

Disable XML-RPC pingback specifically: add to functions.php or a site-specific plugin:

add_filter('xmlrpc_methods', function($methods) {
    unset($methods['pingback.ping']);
    unset($methods['pingback.extensions.getPingbacks']);
    return $methods;
});

The filter removes pingback-specific methods from the XML-RPC interface, which mitigates the amplification attack vector.

The XML-RPC consideration more broadly

Pings use XML-RPC. The XML-RPC interface as a whole has been an attack vector for various reasons: brute force authentication, amplification attacks, vulnerabilities in third-party tools.

For sites that don't use XML-RPC for any legitimate purpose (mobile app integration, certain integrations), disabling it entirely is appropriate. The functionality is largely replaced by the WordPress REST API in modern setups.

Plugins like Disable XML-RPC handle the complete disable. Or .htaccess rules can block XML-RPC at the server level.

For sites that use XML-RPC for specific integrations: leave it enabled but disable specific methods like pingback. The targeted approach reduces attack surface while keeping legitimate functionality.

The cleanup of existing pingbacks

If your comment moderation queue has accumulated pingbacks (spam or otherwise) over years, cleanup is worthwhile.

Bulk delete spam pingbacks. The Comments admin page lets you filter by spam status and bulk-delete.

For pingbacks that were approved historically: review whether they're worth keeping. Most approved pingbacks from years ago link to abandoned or low-quality sites; the comments don't add value.

The cleanup can take time on sites with many comments. WP-CLI or database queries can accelerate it for sites with thousands of pingbacks.

The migration consideration

For sites that imported content from other platforms, the imported posts may have ping settings inherited from the source. Bulk-update them to disable.

For migrations into WordPress, configure pings to be disabled by default in the destination before import. Prevents the inherited settings from carrying over.

The historical context

Pingbacks and trackbacks were designed for the blogging culture of 2003-2010. The web at that time had decentralized discussion across many blogs; pings were a way to maintain connection between related discussions.

By 2026, the discussion model has shifted. Social media platforms handle cross-site discussion. Newsletters and podcasts handle deeper conversation. Pingbacks linger as a feature from an earlier era.

The decision to disable isn't a judgment against the feature's original design. It's recognition that the modern web has moved on and the feature has become net negative.

The honest framing

Pings and trackbacks are a small operational detail with security implications. Disabling them is one of the small wins that adds up across many small operational improvements.

The investment is small: 15 minutes to disable settings, optionally a custom code snippet for the XML-RPC method removal. The benefit is real: less spam handling, smaller attack surface, fewer moderation distractions.

For sites that haven't disabled pings, this is one of those "should have done years ago" tasks. Do it now and forget about pings going forward.

For sites that disable pings, the operational simplification is real but quiet. Nothing breaks; comment volume decreases slightly; the moderation queue stays cleaner. The benefits aren't dramatic but they compound.

Subscribe for updates

We do not sell your email. We do not spam.

© 2026 RevealTheme. All rights reserved.