WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #21509, comment 20


Ignore:
Timestamp:
10/26/2014 08:24:16 PM (5 years ago)
Author:
andrebron
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21509, comment 20

    v1 v2  
    1 > There are opportunities for the community to write plugins or better documentation on how to block ping/trackback requests either at the PHP level (e.g., by hooking the `xmlrpc_call` action and `die`ing for these methods) or the web server/proxy level (e.g., nginx or Varnish). But just disabling XML-RPC by default will not help with the DDOS issues.
     1Thank you for clarifying.  The concern isn't specifically DDOS directed to WordPress sites, but to any site through the WordPress XML-RPC pingback abuse via spoofing the domain of the target of the DDOS. (reflective DDOS).  This type of attack effectively targets the spoofed domain, and then in the process can DOS the wordpress sites participating in the DDOS.
    22
    3 Another thought it entirely removing xml-rpc.php from core and only have it installed when required.  Not sure how to implement that but it's worth considering since wp DDOS exploitability and reputation is somewhat on the line.
     3Perhaps I would start working on a patch to make checks in WordPress Core on whether pingbacks and XML-rpc is being used by plugins, themes or remote applications.  Perhaps rather making a better way to filter legitimate connections to XML-rpc vs. abusive connections using WordPress sites to DDOS others.