WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #21509, comment 18


Ignore:
Timestamp:
10/26/2014 07:52:30 PM (5 years ago)
Author:
andrebron
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21509, comment 18

    v1 v2  
    1 Hi all.  More recently there have been concerns about how xml-rpc.php is widely abused for DDOS (also for brute force attacks, but really gonna focus of the DDOS).  A perfectly secured wordpress site with xml-rpc.php enabled can be easily abused to participate in DDOS attacks.
     1Hi all.  More recently there have been concerns about how xml-rpc.php is widely being abused for DDOS (also for brute force attacks, but really gonna focus on the DDOS).  A perfectly secured wordpress site with xml-rpc.php enabled can be easily abused to participate in DDOS attacks.
    22
    33http://www.computerweekly.com/news/2240215998/More-the-162000-WordPress-sites-used-in-DDoS-attack
    44
    5 Enabling xml-rpc by default has drastically affected the volume of DDOS abuse through xml-rpc through wp sites.  I understand it is relatively widely used, however, most wp sites (I believe) do not use pingbacks or wp mobile app by default.  I believe it should be reverted back to disabled by default and have plugins and remote services that rely on this to enable it either automagically upon install or in their installation instructions.
     5Enabling xml-rpc by default has drastically affected the volume of DDOS abuses through the wp xml-rpc .  I understand it is relatively widely used, however, most wp sites (I believe) do not use pingbacks or wp mobile app for the most part.  I believe it should be reverted back to disabled by default and have plugins and remote services that rely on this to enable it either automagically upon install or in their installation instructions.
    66
    7 I personally found 1 site I manage that has been abused through xml-rpc.php.
     7I personally found 1 site I manage that has been abused through xml-rpc.php.  Not sure how many are being abused but I can imagine this increasing since xmp-rpc was enabled by default.
    88
    99http://labs.sucuri.net/?is-my-wordpress-ddosing
    1010
    11  While remove this file or blocking it at the server level (or php code) works, so many users (likely most) install wp core and do not specifically use xml-rpc.php pingback or features for wp mobile.  Besides 4.0 is mobile responsive ;)
     11 While removing this file or blocking it at the server level (or disabling it in php code) works, so many users (likely most) install wp core and do not specifically use xml-rpc.php pingback or features for wp mobile or other.  Besides 4.0 is mobile responsive ;)
    1212
    13 I suggest again disabling xml-rpc.php by default.  While it is not as severe as a open DNS resolver abuse that amplifies attacks, it is still quick a problem that seems has not been given enough attention lately since xml-rpc was set to enabled by default.
     13I suggest again disabling xml-rpc.php by default.  While it is not as severe as open DNS resolvers being abused for DDOS amplification attacks, it is still quite a problem that seems has not been given enough attention lately since xml-rpc was set to enabled by default.