--- title: "Pingback Was a Good Idea — It Still Is" date: "2026-03-15T06:05:41+00:00" url: "https://invis.net/pingback-was-a-good-idea-it-still-is/" author: "invisnet" license: "CC BY-ND 4.0" license_url: "https://creativecommons.org/licenses/by-nd/4.0/" site: "invis.net" copyright: "Copyright 2024-2026 Charles Lecklider. All rights reserved." disclaimer: "Personal website. Opinions are my own." categories: - "Article" tags: --- # Pingback Was a Good Idea — It Still Is If you've ever run a WordPress site, you've probably seen the advice: disable Pingbacks. They're a spam vector, they're a security risk, just turn them off. It's not wrong. But it's a shame, because the idea behind Pingback is good. One site links to another, and sends a notification. No accounts, no API keys, no central platform — just one site telling another "I linked to you." It's how the web was supposed to work. It's how the web *did* work: decentralised and open. The problem isn't the concept. It's that there's no way to check who's really sending the notification. When a Pingback arrives, it claims: "this page on my site links to this page on yours." The receiving site has no way to verify that. So it does the only thing it can — it fetches the claimed source page to check whether the link actually exists. That fetch is where things go wrong. An attacker sends Pingback requests to thousands of servers, all claiming that victim.com is the source. Every receiving server fetches from victim.com to verify. The victim sees a flood of requests from legitimate servers worldwide, with no obvious common origin. It's a reflected amplification attack, and it works because no one checks whether the sender is authorised to speak for the source domain before making that fetch. This is exactly the problem email had before SPF. Any mail server could claim any sender address. SPF fixed it: domain owners publish a DNS record declaring which servers are authorised to send email on their behalf. Receivers check the record before accepting the message. It's been running at global scale since 2003. Pingback has the same structural vulnerability. Why not use the same approach to fix it? ## How I got here I maintain WP fail2ban, a WordPress plugin that logs authentication and security events for the fail2ban intrusion prevention framework. I was looking at what else the plugin could cover when Pingback security was in the news again, so I dug into what the actual problems were. The deeper I looked, the more exact the parallel with email became. Not superficial, but structural: the same trust model, the same spoofing vulnerability, the same missing authorisation layer, the same solution. The idea sat for a couple of years before I wrote it up properly. The result is PPF. ## PPF: Pingback Permitted From PPF — from SPF's original name, "Sender Permitted From" — is a DNS-based authorisation mechanism for Pingback, directly modelled on SPF. A domain owner publishes a DNS TXT record declaring which hosts are permitted to send notifications for URLs on that domain. Receivers query this record and reject unauthorised notifications before any HTTP request touches the claimed source. When a PPF-aware server receives a Pingback, it checks DNS before doing anything else. If the sender isn't authorised, the notification is rejected and the source URL is never fetched. The amplification attack fails because there's nothing to amplify — the victim's server is never contacted. For sites without PPF records, nothing changes. Receivers can operate in permissive mode during the transition, only enforcing where records exist — exactly as email receivers did during SPF's early adoption. ## Webmention Webmention is essentially Pingback without XML-RPC — a simpler transport for the same notification model. It's a W3C Recommendation, but adoption has been limited. It has the same sender authentication vulnerability; the W3C spec recommends receiver-side mitigations but doesn't solve the underlying problem. PPF covers both protocols. A single DNS record authorises senders regardless of which notification protocol they use. ## What a record looks like For anyone who's worked with SPF, PPF records will look familiar: _pingback.example.com. IN TXT "v=ppf1 a" This says: the IP addresses that resolve from my domain are authorised to send notifications for it. The mechanisms — `a`, `ip4`, `ip6`, `include`, `none` — work the way you'd expect. ## Where to find it The full specification, along with some tools to help get you started, is at [ppf1.org](https://ppf1.org). --- Pingback was built for a decentralised web — one where any site could talk to any other without asking permission. That web is still there if you want it to be. --- Copyright 2024-2026 Charles Lecklider. All rights reserved. Personal website. Opinions are my own.