[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
noreply at wordpress.org
Sun Oct 26 18:46:51 UTC 2014
#21509: Enable XML-RPC by default and remove the option
-----------------------------+---------------------
Reporter: nacin | Owner: nacin
Type: feature request | Status: closed
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version: 4.0
Severity: major | Resolution: fixed
Keywords: 2nd-opinion | Focuses:
-----------------------------+---------------------
Changes (by andrebron):
* keywords: has-patch => 2nd-opinion
* version: => 4.0
* type: enhancement => feature request
* severity: normal => major
Comment:
Hi all. More recently there have been concerns about how xml-rpc.php is
widely abused for DDOS (also for brute force attacks, but really gonna
focus of the DDOS). A perfectly secured wordpress site with xml-rpc.php
enabled can be easily abused to participate in DDOS attacks.
http://www.computerweekly.com/news/2240215998/More-the-162000-WordPress-
sites-used-in-DDoS-attack
Enabling xml-rpc by default has drastically affected the volume of DDOS
abuse through xml-rpc on wp sites. I understand it is relatively widely
used, however, most wp sites (I believe) do not use pingbacks or wp mobile
app by default. I believe it should be reverted back to disabled by
default and have plugins and remote services that rely on this to enable
it either automagically upon install or in their installation
instructions.
I personally found 1 site I manage that has been abused through xml-
rpc.php.
http://labs.sucuri.net/?is-my-wordpress-ddosing
While remove this file or blocking it at the server level (or php code)
works, so many users (likely most) install wp core and do not specifically
use xml-rpc.php pingback or features for wp mobile. Besides 4.0 is mobile
responsive ;)
I suggest again disabling xml-rpc.php by default. While it is not as
severe as a open DNS resolver abuse that amplifies attacks, it is still
quick a problem that seems has not been given enough attention lately
since xml-rpc was set to enabled by default.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21509#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list