WP’s XML-RPC functionality a security vulnerability?
If this is off-topic, I apologize. A web host I use sent me this "courtesy
security alert", copy-pasted below. Is this accurate? What about their
recommendations, do you agree with their advice? I have about 25 live WP
sites and want to keep them as secure as possible. I do use basic good
security measures (strong passwords, themes and plugins updated, nightly
off-site backups, etc.) already. Thanks very much in advance,
Please consider this a courtesy security alert. This message only applies
to WordPress websites.
We wanted to make you aware of a vulnerability in WordPress that is
becoming an increasingly popular exploit for attackers.
The vulnerability is from WordPress’s XML-RPC
<http://codex.wordpress.org/XML-RPC_Support> functionality, a feature
enabled by default since version 3.5. Attackers are abusing the feature to
launch DDoS attacks against other sites.
Due to the scale and nature of the exploits, however, we would like to
recommend that WordPress owners who do not require or need the XM-RPC
functionality take steps to disable the threat from their site.
For advanced WordPress users, XML-RPC can be disabled by modifying the
functions.php file from the site.
For general users, there are several plugins available that disable
XML-RPC, including “Disable XML RPC Fully
Re: WP’s XML-RPC functionality a security vulnerability?
I've noticed a huge surge in trash traffic to /xmlrpc.php on my big sites.
In my case they are coming from different IP's every time which makes them
very hard to block (and indicating a DDOS or at least distributed intrusion
Originally they were coming in with a specific user-agent so I could at
least block them from loading the page, but today it seems they've switched
to empty user agents, making the requests a lot harder to block.
AFAIK there's no fundamental flaw in WP that would make all these requests
a security hazard, but anything that hits the login functionality in WP
over and over is going to have a bad performance impact because of
transients or whatever else gets saved to the DB when someone tries to log
in (which is probably what the XMLRPC requests are actually doing).
On Mon, Jul 21, 2014 at 9:52 AM, Stephen Harris <[hidden email]>
> I too have noticed some DoS attacks using XML-RPC to target the site. But
> the e-mail from the hosts said:
> > Attackers are abusing the feature to launch DDoS attacks against other
> so it would seem they are referring to something like
> https://core.trac.wordpress.org/ticket/4137 (which is fixed).
> So I would follow their advice (disable XML-RPC if you don't need it), but
> it's not clear what vulnerability they are referring to
> wp-hackers mailing list
> [hidden email] > http://lists.automattic.com/mailman/listinfo/wp-hackers >