Changes between Version 1 and Version 2 of Ticket #21509, comment 18
- Timestamp:
- 10/26/2014 07:52:30 PM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #21509, comment 18
v1 v2 1 Hi all. More recently there have been concerns about how xml-rpc.php is widely abused for DDOS (also for brute force attacks, but really gonna focus ofthe DDOS). A perfectly secured wordpress site with xml-rpc.php enabled can be easily abused to participate in DDOS attacks.1 Hi all. More recently there have been concerns about how xml-rpc.php is widely being abused for DDOS (also for brute force attacks, but really gonna focus on the DDOS). A perfectly secured wordpress site with xml-rpc.php enabled can be easily abused to participate in DDOS attacks. 2 2 3 3 http://www.computerweekly.com/news/2240215998/More-the-162000-WordPress-sites-used-in-DDoS-attack 4 4 5 Enabling xml-rpc by default has drastically affected the volume of DDOS abuse through xml-rpc through wp sites. I understand it is relatively widely used, however, most wp sites (I believe) do not use pingbacks or wp mobile app by default. I believe it should be reverted back to disabled by default and have plugins and remote services that rely on this to enable it either automagically upon install or in their installation instructions.5 Enabling xml-rpc by default has drastically affected the volume of DDOS abuses through the wp xml-rpc . I understand it is relatively widely used, however, most wp sites (I believe) do not use pingbacks or wp mobile app for the most part. I believe it should be reverted back to disabled by default and have plugins and remote services that rely on this to enable it either automagically upon install or in their installation instructions. 6 6 7 I personally found 1 site I manage that has been abused through xml-rpc.php. 7 I personally found 1 site I manage that has been abused through xml-rpc.php. Not sure how many are being abused but I can imagine this increasing since xmp-rpc was enabled by default. 8 8 9 9 http://labs.sucuri.net/?is-my-wordpress-ddosing 10 10 11 While remov e this file or blocking it at the server level (or php code) works, so many users (likely most) install wp core and do not specifically use xml-rpc.php pingback or features for wp mobile. Besides 4.0 is mobile responsive ;)11 While removing this file or blocking it at the server level (or disabling it in php code) works, so many users (likely most) install wp core and do not specifically use xml-rpc.php pingback or features for wp mobile or other. Besides 4.0 is mobile responsive ;) 12 12 13 I suggest again disabling xml-rpc.php by default. While it is not as severe as a open DNS resolver abuse that amplifies attacks, it is still quicka problem that seems has not been given enough attention lately since xml-rpc was set to enabled by default.13 I suggest again disabling xml-rpc.php by default. While it is not as severe as open DNS resolvers being abused for DDOS amplification attacks, it is still quite a problem that seems has not been given enough attention lately since xml-rpc was set to enabled by default.