If you’re wondering why trackbacks and pings aren’t working on your blog then you might want to do what I did earlier today: allow your blog to talk to other servers.
WordPress needs either allow_url_fopen to be set On or to have the Curl extension loaded. If you’re having problems receiving pings from other blogs then both of these are probably turned off or missing. Wouldn’t it be nice if Options->Discussion warned that pings wouldn’t work?
Look in your php.ini, or the output of phpinfo() to check for both. If you want to enable fopen, then the entry in php.ini should look like this:
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On
I switched to Litespeed web server a while back and by default allow_url_fopen is set to Off and the curl library isn’t included. Check /opt/lsws/php/php.ini and make sure remote fopens are allowed!
Thanks Barry for helping me fix that.
PS. if you linked to this blog recently, feel free to save your post again. WordPress will ping my site again and this time the ping will get through.
Clarify: If you have Curl loaded on your server already as, then the modified php.ini isn’t needed?
Am I getting this right?
Here’s what I have:
cURL support enabled
cURL Information libcurl/7.16.0 OpenSSL/0.9.8g zlib/1.2.3 libidn/0.5.6
So I’m OK?
Peace,
Gene
MediaTemple have sent out warnings that all their Grid Service packages will be changing to “allow_url_fopen = Off” by default in the next few weeks, because it’s a security risk in some programs apparently.
I’m glad you wrote this. I now know to re-enable it come the time. 🙂
hmmm .. that’s very interesting. I’ll have to figure out if I can edit my PHP.ini on my server since I don’t receive any pings or trackbacks or anything … or maybe I’m just not popular enough for that stuff! 🙂
Its generally recommended that you leave allow_url_fopen disabled
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html
With WP’s not so spectacular record on security I’d rather leave my system as hardened as possible.
Gene – you should be fine with Curl.
Tadd – has anyone linked to a post on your blog?
Michael – that’s a big change! It could be viewed as a security risk, but only because it lets php talk to another server. If a malicious script somehow got onto your server it could use fopen() to quickly send information elsewhere.
It could also use Curl, fsockopen, and other means too of course, but fopen() with a url is the handiest.
Donncha – I think I had one track back when I posted my love for Guitar Hero 3. Otherwise, I’ve not received any. Period. I’ve gotten a small bit of spam … (57 in about 6 months) …
Maybe I just don’t have that popular of a blog. Though I’ve linked it via my old blogs (xanga and myspace) and have let my family and friends know of it … then again, maybe I’m not that interesting! haha .. no can’t be it.
My fopen is off – so maybe taht hs something to do with it … tried enabling it and got an error – so I need to dig around and see what the deal is … According to my host I can add a php.ini file with the changes to whatever folders I want that change it – but when I do it screws the site up totally. Bummer, eh?
@Conor
Yeah, it was a security risk, but if you read the page, it lists why it is a security risk. It lists code injection, which is primarily number one, however there might be other bugs which might make using fopen and friends inject code into your application (unlikely if you are using the latest PHP5 version though and also unlikely ever because of the circumstances that have to meant first).
It lists two reason:
1. Include and Require used to use it for whether URL could be included or required back in the pre PHP 4.3 days. This is not the case and those two were split from allow_url_open to allow_url_include, which should always be disabled.
2. Developers don’t sanitize or filter the content returned, so it is a security risk in that developers are usually lazy and output something that could have JavaScript. Run it through Kses or HTML Purifier!
I would say that as long as you don’t use PHP 4.2 and filter your content you’ll be fine to use allow_url_fopen.
Is this something that I can add to my htaccess file since my webhost doesn’t give me access to any php.ini files? What would the entry look like?
My server host actually has allow_url_fopen off by default (for security reasons as well I believe) and I don’t think I can actually modify php.ini either (probably the banes of shared hosting :p) but I do receive pings/trackbacks I think, judging by the amount of spam that Akismet picks up as pings/trackbacks. And certainly if I accidentally link to one of my own posts in full rather than relatively, I get a ping-back from myself. Not sure how this ping stuff all strictly works, but like the first commentator (Gene) Curl is also enabled on the server, so maybe that’s why it works?
I don’t get it. Do you mean ping/trackbacks to or from other servers? I’ve noticed that by pings to others generally work, but may take a few days (and can be a bit iffy if the blogger is using Akismet). But I’ve never received a ping from another blog.
I have a big problem with constant ping and trackback spam. I have Akismet and SK2, but I still have to “mark as spam” lots of trackbacks every single day. Anyone have a suggestion?
As Michael Martin mentions above, MediaTemple are switching this to “Off” soon, although their email seems to say that you can turn it back on again if needed.
I actually turned it off in php.ini to see what changes might take place, but it still seems that pings are being picked up by Google as they happen.
Any ideas on that?
Thanks for informing more people about this. I tried to a while ago in Norwegian, but I don’t think many noticed 😉
Another relevant tip regarding K2: this theme seems to be missing a call to trackback_rdf. I reported an issue about it, but it’s still not fixed in RC4.
fopen() is typically disabled in shared hosting environments, which most users of WordPress are on. Why not use alternative php packages that do the job just the same?
If curl is enabled and fopen allowed to open URLs, but pingbacks/trackbacks still don’t work, then what might be the problem? And, by the way, they aren’t in the SPAM list either…
I think what Media Temple is doing is a smart move. Dreamhost did it a year ago. While fopen isn’t the risk it once was, curl is more feature rich and they seem to focus intently on security. Just because WordPress core may be secure, there’s no telling about that ‘super cool must have plugin’ Plus they’re doing it for a macro hardening since there’s no telling what some user sare putting on their hosting slices.
If you’re using WordPress, any plugin/code you use should call wp_remote_fopen anyway, which will use curl if allow_url_fopen is set to Off.
Can you be a little more explanatory??? coz i receive ping from other blogs but not able to send one.Do you have any solution for this and please let me know the changes i have to impliment in my Word press.
Sounds interesting. Unfortunately I don’t know where I should look this up. Where do I find the allow-line? Und what settings? Or do I have to change something in some files itself? In which ones?
As you can see, I suck with computers.
cheers,
Manuel
How can I test to see if pings and trackbacks are working ?
– Erik
I’ve no idea about cURL, but my php.ini reads:
cgi.fix_pathinfo = 1
cgi.force_redirect = 0
allow_url_fopen = On
… and still trackbacks seem to be broken.
Meh???!
Oh and allow_url_fopen shows as on in phpinfo()… still trackbacks don’t seem to work.
This post, for example: http://blog.niallok.com/index.php/2008/01/29/i-feel-pretty-and-witty-and-fluffy/
should have a trackback from here: http://www.mulley.net/2008/01/30/fluffy-links-wednesday-january-30th-2008/
any ideas, Donncha??? 🙁
Niall – maybe Damien has moderated it and hasn’t approved it yet? Or maybe the problem is on his server? I received a trackback on my Creme Egg post here from you.
Chances are Damien has fopen closed off and trackbacks aren’t being accepted by his server.
Possibly, but trackbacks aren’t appearing on my site for links from any other site (including internal links from my own site). They are appearing in the “Incoming Links” on the dashboard though (although I realise this is controlled by Google blogsearch).