Resuscitating Pingbacks

My friend Ton’s WordPress blog supports Pingbacks, which the WordPress documentation describes like this:

A pingback is a special type of comment that’s created when you link to another blog post, as long as the other blog is set to accept pingbacks. To create a pingback, just link to another WordPress blog post. If that post has pingbacks enabled, the blog owner will see a pingback appear in their comments section

So, for example, if I want to indicate to Ton that this post is in reference to his post from earlier today, Reinventing Distributed Conversations, his post contains guidance for my blogging engine as to where to send that notification:

<link rel="pingback" href="" />

(I found that by using View > Source from my browser menu when reading Ton’s post).

Unfortunately contemporary Drupal (the blogging software I’m using to write this) has no built-in support for Pingbacks. There have been add-on modules in the past, but none have been updated recently, and none are covered by Drupal’s security advisory policy:

I suspect this is because as Drupal transitioned from Drupal 6 to Drupal 7, the commercial web had taken over,  the social web was withering on the vine, and there was little or no motivation to develop modules for a standard that few were using.

In the interim there are workarounds: this script allows me, in theory, to notify Ton’s blog manually, from the command line, with a Pingback, like this:

./ \ \

I tried that out just now, but it didn’t work: there’s too much in the script that’s not supported by macOS.

So, using guidance here, I tried doing this very manually, created an XML payload:

<?xml version="1.0" encoding="iso-8859-1"?>

and then used cURL to POST that to Ton’s Pingback endpoint:

curl -X POST -d @pingback.xml

But the response I got back suggests that there’s something up on Ton’s end:

<title>403 Forbidden</title>
<p>You don't have permission to access /wp/xmlrpc.php
on this server.</p>

I suspect that might be due to Ton or his surrogates closing off access to Pingback because of a vulnerability.

So no Pingbacks for now, both because my Drupal won’t send them, and Ton’s WordPress won’t receive them.

However, thanks to the diligent work of the IndieWeb tribe, there’s a more modern standard, called Webmention, that might allow us to get to the same place: there’s a plugin for WordPress for Ton’s end, but only support via the atrophied Vinculum module for Drupal; I’ll dig into that and see if there’s a way forward.

In the meantime, I’ll just manually leave a comment on Ton’s blog pointing here.

Update: I reinstalled Vinculum and have it set up to both send and receive Webmentions. As a result, if you View > Source on this page, you’ll find:

<link rel="webmention" href="" />

This means that this page should be able to receive Webmentions. But it seems to be only partially working. Anyone care to send?


Ton Zijlstra's picture
Ton Zijlstra on April 19, 2018 - 02:04 Permalink

Thank you for diving into this. There's indeed something up with the xmlrpc file. It could be used to send a lot of data to a blog at once, including bulk login attempts that would show up only as 1 failed attempt and thus not triggering any alarms. However there's a lot of conflicting info on xmlrpc out there. Wordpress seems to have secured xmlrpc a long time ago, and it seems active on my site (if I simply call it in my browser I get "XML-RPC server accepts POST requests only." so it is listening). Yet I don't receive pingbacks, and you get an error calling it. Also I noticed that a plugin I use, Jetpack, is malfunctioning seemingly from xmlrpc not working properly. Trying to fix that ended up with me running around in circles:

When I curl xmlrpc from the command line I get a 403 error like you. When I visit it with TOR, I get a stack protect measure with a captcha from my hosting provider, similar to when I would approach the login screen.

So it seems my hosting provider is taking security measures. I'll ask them to hear more.