[wp-trac] [WordPress Trac] #30742: admin-ajax.php should only execute for browser traffic
WordPress Trac
noreply at wordpress.org
Wed Dec 17 08:56:47 UTC 2014
#30742: admin-ajax.php should only execute for browser traffic
----------------------------+----------------------
Reporter: WebsitesbyMark | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 4.0.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
----------------------------+----------------------
Changes (by dd32):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
As straight forward as this may seem, it's not possible to distinguish
Browser traffic from malicious traffic in a PHP application. Cloudflare
can do it as they have many network heuristics running which can block
traffic at a lower layer than WordPress can see.
Additionally, due to the number of plugins in existence which rely on
access to the file, we can't block it for logged out users either, which
means we don't really have any methods which we can use to prevent a
resource exhaustion attack such that you described.
A Server configuration to rate-limit the number of requests to admin-ajax
could help, but once again that's not something WordPress can alter.
I'm marking as invalid for now, based on the technical limitations which
WordPress operates under, if someone comes up with a solution they're free
to re-open the ticket, but remember that all malicious scripts can pretend
to be a browser and act the same.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30742#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list