WP’s XML-RPC functionality a security vulnerability?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

WP’s XML-RPC functionality a security vulnerability?

Patty Ayers
If this is off-topic, I apologize. A web host I use sent me this "courtesy
security alert", copy-pasted below. Is this accurate? What about their
recommendations, do you agree with their advice? I have about 25 live WP
sites and want to keep them as secure as possible. I do use basic good
security measures (strong passwords, themes and plugins updated, nightly
off-site backups, etc.) already. Thanks very much in advance,

Patty
---------------------------------------

"Dear Customer,

Please consider this a courtesy security alert. This message only applies
to WordPress websites.

We wanted to make you aware of a vulnerability in WordPress that is
becoming an increasingly popular exploit for attackers.

The vulnerability is from WordPress’s XML-RPC
<http://codex.wordpress.org/XML-RPC_Support> functionality, a feature
enabled by default since version 3.5. Attackers are abusing the feature to
launch DDoS attacks against other sites.

It is important to note that XML-RPC does serve some legitimate purposes
<http://codex.wordpress.org/XML-RPC_Support>, including the pingback
<http://en.support.wordpress.com/comments/pingbacks/> feature and the
ability to post content remotely from various WebLog clients
<http://codex.wordpress.org/Weblog_Client>.

Due to the scale and nature of the exploits, however, we would like to
recommend that WordPress owners who do not require or need the XM-RPC
functionality take steps to disable the threat from their site.

For advanced WordPress users, XML-RPC can be disabled by modifying the
functions.php file from the site.
 For general users, there are several plugins available that disable
XML-RPC, including “Disable XML RPC Fully
<https://wordpress.org/plugins/disable-xml-rpc-fully/>” ..."

-----------------------------------------------------------------------------
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP’s XML-RPC functionality a security vulnerability?

Jeremy Clarke
I've noticed a huge surge in trash traffic to /xmlrpc.php on my big sites.
In my case they are coming from different IP's every time which makes them
very hard to block (and indicating a DDOS or at least distributed intrusion
attempt).

Originally they were coming in with a specific user-agent so I could at
least block them from loading the page, but today it seems they've switched
to empty user agents, making the requests a lot harder to block.

AFAIK there's no fundamental flaw in WP that would make all these requests
a security hazard, but anything that hits the login functionality in WP
over and over is going to have a bad performance impact because of
transients or whatever else gets saved to the DB when someone tries to log
in (which is probably what the XMLRPC requests are actually doing).


--
Jeremy Clarke
Code and Design • globalvoicesonline.org
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP’s XML-RPC functionality a security vulnerability?

Stephen Harris
I too have noticed some DoS attacks using XML-RPC to target the site.
But the e-mail from the hosts said:

  > Attackers are abusing the feature to launch DDoS attacks against
other sites.

so it would seem they are referring to something like
https://core.trac.wordpress.org/ticket/4137 (which is fixed).

So I would follow their advice (disable XML-RPC if you don't need it),
but it's not clear what vulnerability they are referring to
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP’s XML-RPC functionality a security vulnerability?

Joshua Eichorn
Likely they are talking about xml-rpc ping attacks.

http://wordpress.org/plugins/remove-xmlrpc-pingback-ping/

-josh


On Mon, Jul 21, 2014 at 9:52 AM, Stephen Harris <[hidden email]>
wrote:

> I too have noticed some DoS attacks using XML-RPC to target the site. But
> the e-mail from the hosts said:
>
>  > Attackers are abusing the feature to launch DDoS attacks against other
> sites.
>
> so it would seem they are referring to something like
> https://core.trac.wordpress.org/ticket/4137 (which is fixed).
>
> So I would follow their advice (disable XML-RPC if you don't need it), but
> it's not clear what vulnerability they are referring to
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers