HTTP-header X-Pingback when pingbacks are turned off
|Reported by:||ose||Owned by:||anonymous|
|Severity:||minor||Keywords:||http pingback security|
When switching off pingbacks under options/discussion, wordpress still sends an X-Pingback http header back to the browser.
This has two disadvantages:
- It causes unnecessary traffic by other servers trying to ping wordpress
- It reveals more information then necessary (essentially reveals that a server is running wordpress even if the web master tries to hide that fact in other places for security reasons).
Expected behavior: When pingbacks are disables, wordpress should not send the X-Pingback header to the browser.