[wp-hackers] WP’s XML-RPC functionality a security vulnerability?

Patty Ayers patty at ayersvirtual.com
Mon Jul 21 16:27:14 UTC 2014


If this is off-topic, I apologize. A web host I use sent me this "courtesy
security alert", copy-pasted below. Is this accurate? What about their
recommendations, do you agree with their advice? I have about 25 live WP
sites and want to keep them as secure as possible. I do use basic good
security measures (strong passwords, themes and plugins updated, nightly
off-site backups, etc.) already. Thanks very much in advance,

Patty
---------------------------------------

"Dear Customer,

Please consider this a courtesy security alert. This message only applies
to WordPress websites.

We wanted to make you aware of a vulnerability in WordPress that is
becoming an increasingly popular exploit for attackers.

The vulnerability is from WordPress’s XML-RPC
<http://codex.wordpress.org/XML-RPC_Support> functionality, a feature
enabled by default since version 3.5. Attackers are abusing the feature to
launch DDoS attacks against other sites.

It is important to note that XML-RPC does serve some legitimate purposes
<http://codex.wordpress.org/XML-RPC_Support>, including the pingback
<http://en.support.wordpress.com/comments/pingbacks/> feature and the
ability to post content remotely from various WebLog clients
<http://codex.wordpress.org/Weblog_Client>.

Due to the scale and nature of the exploits, however, we would like to
recommend that WordPress owners who do not require or need the XM-RPC
functionality take steps to disable the threat from their site.

For advanced WordPress users, XML-RPC can be disabled by modifying the
functions.php file from the site.
 For general users, there are several plugins available that disable
XML-RPC, including “Disable XML RPC Fully
<https://wordpress.org/plugins/disable-xml-rpc-fully/>” ..."

-----------------------------------------------------------------------------


More information about the wp-hackers mailing list