If you’re wondering why trackbacks and pings aren’t working on your blog then you might want to do what I did earlier today: allow your blog to talk to other servers.
WordPress needs either allow_url_fopen to be set On or to have the Curl extension loaded. If you’re having problems receiving pings from other blogs then both of these are probably turned off or missing. Wouldn’t it be nice if Options->Discussion warned that pings wouldn’t work?
Look in your php.ini, or the output of phpinfo() to check for both. If you want to enable fopen, then the entry in php.ini should look like this:
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On
I switched to Litespeed web server a while back and by default allow_url_fopen is set to Off and the curl library isn’t included. Check /opt/lsws/php/php.ini and make sure remote fopens are allowed!
Thanks Barry for helping me fix that.
PS. if you linked to this blog recently, feel free to save your post again. WordPress will ping my site again and this time the ping will get through.
25 Comments
Gene Steinberg (3 comments.) on January 11, 2008 at 7:34 pm.
Clarify: If you have Curl loaded on your server already as, then the modified php.ini isn’t needed?
Am I getting this right?
Here’s what I have:
cURL support enabled
cURL Information libcurl/7.16.0 OpenSSL/0.9.8g zlib/1.2.3 libidn/0.5.6
So I’m OK?
Peace,
Gene
Michael Martin (1 comments.) on January 11, 2008 at 8:10 pm.
MediaTemple have sent out warnings that all their Grid Service packages will be changing to “allow_url_fopen = Off” by default in the next few weeks, because it’s a security risk in some programs apparently.
I’m glad you wrote this. I now know to re-enable it come the time.
Tadd (6 comments.) on January 11, 2008 at 8:21 pm.
hmmm .. that’s very interesting. I’ll have to figure out if I can edit my PHP.ini on my server since I don’t receive any pings or trackbacks or anything … or maybe I’m just not popular enough for that stuff!
Conor (5 comments.) on January 11, 2008 at 8:44 pm.
Its generally recommended that you leave allow_url_fopen disabled
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html
With WP’s not so spectacular record on security I’d rather leave my system as hardened as possible.
Donncha (1707 comments.) on January 11, 2008 at 8:47 pm.
Gene – you should be fine with Curl.
Tadd – has anyone linked to a post on your blog?
Michael – that’s a big change! It could be viewed as a security risk, but only because it lets php talk to another server. If a malicious script somehow got onto your server it could use fopen() to quickly send information elsewhere.
It could also use Curl, fsockopen, and other means too of course, but fopen() with a url is the handiest.
Tadd (6 comments.) on January 11, 2008 at 9:15 pm.
Donncha – I think I had one track back when I posted my love for Guitar Hero 3. Otherwise, I’ve not received any. Period. I’ve gotten a small bit of spam … (57 in about 6 months) …
Maybe I just don’t have that popular of a blog. Though I’ve linked it via my old blogs (xanga and myspace) and have let my family and friends know of it … then again, maybe I’m not that interesting! haha .. no can’t be it.
My fopen is off – so maybe taht hs something to do with it … tried enabling it and got an error – so I need to dig around and see what the deal is … According to my host I can add a php.ini file with the changes to whatever folders I want that change it – but when I do it screws the site up totally. Bummer, eh?
Jacob Santos (1 comments.) on January 12, 2008 at 12:01 am.
@Conor
Yeah, it was a security risk, but if you read the page, it lists why it is a security risk. It lists code injection, which is primarily number one, however there might be other bugs which might make using fopen and friends inject code into your application (unlikely if you are using the latest PHP5 version though and also unlikely ever because of the circumstances that have to meant first).
It lists two reason:
1. Include and Require used to use it for whether URL could be included or required back in the pre PHP 4.3 days. This is not the case and those two were split from allow_url_open to allow_url_include, which should always be disabled.
2. Developers don’t sanitize or filter the content returned, so it is a security risk in that developers are usually lazy and output something that could have JavaScript. Run it through Kses or HTML Purifier!
I would say that as long as you don’t use PHP 4.2 and filter your content you’ll be fine to use allow_url_fopen.
Bill Masella (1 comments.) on January 12, 2008 at 1:00 am.
Is this something that I can add to my htaccess file since my webhost doesn’t give me access to any php.ini files? What would the entry look like?
Mosey on January 12, 2008 at 1:26 am.
My server host actually has allow_url_fopen off by default (for security reasons as well I believe) and I don’t think I can actually modify php.ini either (probably the banes of shared hosting :p) but I do receive pings/trackbacks I think, judging by the amount of spam that Akismet picks up as pings/trackbacks. And certainly if I accidentally link to one of my own posts in full rather than relatively, I get a ping-back from myself. Not sure how this ping stuff all strictly works, but like the first commentator (Gene) Curl is also enabled on the server, so maybe that’s why it works?
Keith (2 comments.) on January 12, 2008 at 6:08 am.
I don’t get it. Do you mean ping/trackbacks to or from other servers? I’ve noticed that by pings to others generally work, but may take a few days (and can be a bit iffy if the blogger is using Akismet). But I’ve never received a ping from another blog.
Elliot Lee (1 comments.) on January 12, 2008 at 8:45 am.
I have a big problem with constant ping and trackback spam. I have Akismet and SK2, but I still have to “mark as spam” lots of trackbacks every single day. Anyone have a suggestion?
John Stevens (1 comments.) on January 12, 2008 at 3:23 pm.
As Michael Martin mentions above, MediaTemple are switching this to “Off” soon, although their email seems to say that you can turn it back on again if needed.
I actually turned it off in php.ini to see what changes might take place, but it still seems that pings are being picked up by Google as they happen.
Any ideas on that?
Petter (2 comments.) on January 13, 2008 at 12:46 am.
Thanks for informing more people about this. I tried to a while ago in Norwegian, but I don’t think many noticed
Another relevant tip regarding K2: this theme seems to be missing a call to trackback_rdf. I reported an issue about it, but it’s still not fixed in RC4.
markku (1 comments.) on January 13, 2008 at 7:50 am.
fopen() is typically disabled in shared hosting environments, which most users of WordPress are on. Why not use alternative php packages that do the job just the same?
Leonid Mamchenkov (1 comments.) on January 13, 2008 at 2:32 pm.
If curl is enabled and fopen allowed to open URLs, but pingbacks/trackbacks still don’t work, then what might be the problem? And, by the way, they aren’t in the SPAM list either…
Soccer Dad (2 comments.) on January 13, 2008 at 3:01 pm.
I think what Media Temple is doing is a smart move. Dreamhost did it a year ago. While fopen isn’t the risk it once was, curl is more feature rich and they seem to focus intently on security. Just because WordPress core may be secure, there’s no telling about that ‘super cool must have plugin’ Plus they’re doing it for a macro hardening since there’s no telling what some user sare putting on their hosting slices.
If you’re using WordPress, any plugin/code you use should call wp_remote_fopen anyway, which will use curl if allow_url_fopen is set to Off.
sexy shoes on January 14, 2008 at 6:33 am.
Can you be a little more explanatory??? coz i receive ping from other blogs but not able to send one.Do you have any solution for this and please let me know the changes i have to impliment in my Word press.
Manuel (1 comments.) on January 14, 2008 at 9:40 am.
Sounds interesting. Unfortunately I don’t know where I should look this up. Where do I find the allow-line? Und what settings? Or do I have to change something in some files itself? In which ones?
As you can see, I suck with computers.
cheers,
Manuel
Pingback: WordPress Wednesday News: WordPress 2.5 On Track, Uninstalling WordPress Plugins, Premium WordPress Themes Debated, Permalinks, and More WordPress News : The Blog Herald
Pingback: How to fix blog pinging and trackback problems | WordPressGarage.com
Erik Heidt (1 comments.) on January 17, 2008 at 3:30 pm.
How can I test to see if pings and trackbacks are working ?
- Erik
Niall O'K (21 comments.) on January 19, 2008 at 6:31 pm.
I’ve no idea about cURL, but my php.ini reads:
cgi.fix_pathinfo = 1
cgi.force_redirect = 0
allow_url_fopen = On
… and still trackbacks seem to be broken.
Meh???!
Niall O'K (21 comments.) on January 30, 2008 at 10:26 am.
Oh and allow_url_fopen shows as on in phpinfo()… still trackbacks don’t seem to work.
This post, for example: http://blog.niallok.com/index.php/2008/01/29/i-feel-pretty-and-witty-and-fluffy/
should have a trackback from here: http://www.mulley.net/2008/01/30/fluffy-links-wednesday-january-30th-2008/
any ideas, Donncha???
Donncha (1707 comments.) on January 30, 2008 at 10:37 am.
Niall – maybe Damien has moderated it and hasn’t approved it yet? Or maybe the problem is on his server? I received a trackback on my Creme Egg post here from you.
Chances are Damien has fopen closed off and trackbacks aren’t being accepted by his server.
Niall O'K (21 comments.) on January 31, 2008 at 10:34 pm.
Possibly, but trackbacks aren’t appearing on my site for links from any other site (including internal links from my own site). They are appearing in the “Incoming Links” on the dashboard though (although I realise this is controlled by Google blogsearch).