WP’s XML-RPC functionality a security vulnerability?

Discussion:

Patty Ayers

2014-07-21 16:27:14 UTC

If this is off-topic, I apologize. A web host I use sent me this "courtesy
security alert", copy-pasted below. Is this accurate? What about their
recommendations, do you agree with their advice? I have about 25 live WP
sites and want to keep them as secure as possible. I do use basic good
security measures (strong passwords, themes and plugins updated, nightly
off-site backups, etc.) already. Thanks very much in advance,

Patty
---------------------------------------

"Dear Customer,

Please consider this a courtesy security alert. This message only applies
to WordPress websites.

We wanted to make you aware of a vulnerability in WordPress that is
becoming an increasingly popular exploit for attackers.

The vulnerability is from WordPress’s XML-RPC
<http://codex.wordpress.org/XML-RPC_Support> functionality, a feature
enabled by default since version 3.5. Attackers are abusing the feature to
launch DDoS attacks against other sites.

It is important to note that XML-RPC does serve some legitimate purposes
<http://codex.wordpress.org/XML-RPC_Support>, including the pingback
<http://en.support.wordpress.com/comments/pingbacks/> feature and the
ability to post content remotely from various WebLog clients
<http://codex.wordpress.org/Weblog_Client>.

Due to the scale and nature of the exploits, however, we would like to
recommend that WordPress owners who do not require or need the XM-RPC
functionality take steps to disable the threat from their site.

For advanced WordPress users, XML-RPC can be disabled by modifying the
functions.php file from the site.
For general users, there are several plugins available that disable
XML-RPC, including “Disable XML RPC Fully
<https://wordpress.org/plugins/disable-xml-rpc-fully/>” ..."

-----------------------------------------------------------------------------

Jeremy Clarke

2014-07-21 16:42:19 UTC

Permalink

I've noticed a huge surge in trash traffic to /xmlrpc.php on my big sites.
In my case they are coming from different IP's every time which makes them
very hard to block (and indicating a DDOS or at least distributed intrusion
attempt).

Originally they were coming in with a specific user-agent so I could at
least block them from loading the page, but today it seems they've switched
to empty user agents, making the requests a lot harder to block.

AFAIK there's no fundamental flaw in WP that would make all these requests
a security hazard, but anything that hits the login functionality in WP
over and over is going to have a bad performance impact because of
transients or whatever else gets saved to the DB when someone tries to log
in (which is probably what the XMLRPC requests are actually doing).

--
Jeremy Clarke
Code and Design • globalvoicesonline.org

Stephen Harris

2014-07-21 16:52:10 UTC

Permalink

I too have noticed some DoS attacks using XML-RPC to target the site.

Attackers are abusing the feature to launch DDoS attacks against

other sites.

so it would seem they are referring to something like
https://core.trac.wordpress.org/ticket/4137 (which is fixed).

So I would follow their advice (disable XML-RPC if you don't need it),
but it's not clear what vulnerability they are referring to

Joshua Eichorn

2014-07-21 16:57:18 UTC

Permalink

Likely they are talking about xml-rpc ping attacks.

http://wordpress.org/plugins/remove-xmlrpc-pingback-ping/

-josh

I too have noticed some DoS attacks using XML-RPC to target the site. But

Attackers are abusing the feature to launch DDoS attacks against other

sites.
so it would seem they are referring to something like
https://core.trac.wordpress.org/ticket/4137 (which is fixed).
So I would follow their advice (disable XML-RPC if you don't need it), but
it's not clear what vulnerability they are referring to
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers