Changes between Version 1 and Version 2 of Ticket #21509, comment 20
- Timestamp:
- 10/26/2014 08:24:16 PM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #21509, comment 20
v1 v2 1 > There are opportunities for the community to write plugins or better documentation on how to block ping/trackback requests either at the PHP level (e.g., by hooking the `xmlrpc_call` action and `die`ing for these methods) or the web server/proxy level (e.g., nginx or Varnish). But just disabling XML-RPC by default will not help with the DDOS issues.1 Thank you for clarifying. The concern isn't specifically DDOS directed to WordPress sites, but to any site through the WordPress XML-RPC pingback abuse via spoofing the domain of the target of the DDOS. (reflective DDOS). This type of attack effectively targets the spoofed domain, and then in the process can DOS the wordpress sites participating in the DDOS. 2 2 3 Another thought it entirely removing xml-rpc.php from core and only have it installed when required. Not sure how to implement that but it's worth considering since wp DDOS exploitability and reputation is somewhat on the line.3 Perhaps I would start working on a patch to make checks in WordPress Core on whether pingbacks and XML-rpc is being used by plugins, themes or remote applications. Perhaps rather making a better way to filter legitimate connections to XML-rpc vs. abusive connections using WordPress sites to DDOS others.