Today, I sent an idea to wordpress to prevent XMLRPC pingback in better way. Below is my idea:
As we know, in March 2014, there are huge number (around 160.000, from sucuri blog) wordpress hosted site involved or used by attacker to attack other sites. Attacker success to exploit vulnerability of XMLRPC in WordPress. From there, I can see how WordPress Team release a new version. Sadly, the new release version only add 5 lines from old version in wp-includes/class-wp-xmlrpc-server.php (I compare between 3.8.1 and 3.8.2, after that I did not see any change in same file from your Security Release announcement). Those line has purpose to display IP of who request the XMLRPC pingback, not to prevent it.
Also, I can see there are many plugins, tutorial, how to disable XMLRPC pingback even some suggest to prevent XMLRPC itself. But I think we do not let some features loss because this kind issue. Of course we need to mitigate or prevent any security issue immediately, but in my opinion if we can fix security issue without losing some feature, then that is the best way to handle it. So here is my idea:
– create new table (called url_whitelist in wordpress with default empty. There is only 2 field which are id and url. This table will contain URL whitelist to where wordpress site can be allow to send pingback
– insert a line into wp-includes/class-wp-xmlrpc-server.php which query to table whitelist above compare to $pagelinkedfrom. If the URL is exist in table whitelist, then pingback may (depends of next check/control) allow to send, if not (remember its empty as default) then wordpress will not send pingback to any url (so we just prevent pingback from abuser or scanner tool but still allow wordpress send pingback to whitelisted URL)
– an interface in dashboard which allow admin to add whitelist url into table whitelist.
That is my idea. I am sorry for my english.
If you like the idea, please vote it at https://wordpress.org/ideas/topic/a-better-way-to-prevent-xmlrpc-ping-back