[wp-hackers] Is disabling remote client access a good idea?

Jacob Santos wordpress at santosj.name
Wed Jun 25 04:33:16 GMT 2008 

How true. I have a blog where the there are no comment forms on any 
posts and pages, but somehow the spammers are getting through. The 
problem with securing with nonces is that they can be broken depending 
on how creative the hacker is.

Interestingly enough, I think the nonce system I made has a great track 
record with blocking bots, however the problem is that it sometimes 
blocks actual users as well. I'm paranoid, but I think everything should 
be protected by a nonce (as if most things aren't already). HTTP headers 
can't be trusted and neither can cookies. Hell, you can't even trust 
users and sometimes you can't even trust yourself.

Jacob Santos

Daniel Jalkut wrote:
> It's been interesting to see how the general vibe on this list has 
> been more supportive of the limitation, while the comments on my blog 
> are in both directions but I think with a bit of lean against the 
> limitation.
>
> A common argument in favor of the limitation is that it "shuts down 
> another vector" that may be a security risk.  I think what Jens Alfke 
> said in my blog comments is very pertinent here:
>
> "Some people seem to think there’s something special about XML-RPC 
> that makes it inherently less secure. Not so — It’s just an HTTP POST, 
> just like any other change made via the web UI."
>
> When you consider the number of distinct HTTP POST access points into 
> a typical WordPress blog, all secured by a cookie-type authentication, 
> it makes the SINGLE POINT access via the xmlrpc.php URL seem rather 
> easy to manage and to secure, by comparison.
>
> Daniel
>
> On Jun 24, 2008, at 11:26 PM, Eric Marden wrote:
>
>>> It's common to disable services that you don't use.
>>
>> Dan, you are completely right.
>>
>> Security is about minimizing exposure, not the ability to survive an 
>> attack.
>>
>> -e
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list