[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
noreply at wordpress.org
Sun Oct 26 19:02:16 UTC 2014
#21509: Enable XML-RPC by default and remove the option
-----------------------------+---------------------
Reporter: nacin | Owner: nacin
Type: feature request | Status: closed
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version: 4.0
Severity: major | Resolution: fixed
Keywords: 2nd-opinion | Focuses:
-----------------------------+---------------------
Comment (by maxcutler):
Replying to [comment:18 andrebron]:
> Hi all. More recently there have been concerns about how xml-rpc.php is
widely abused for DDOS (also for brute force attacks, but really gonna
focus of the DDOS). A perfectly secured wordpress site with xml-rpc.php
enabled can be easily abused to participate in DDOS attacks.
Pingbacks, despite living in the XML-RPC API, have never respected the
enabled/disabled option for XML-RPC in the admin.
That option only applies to XML-RPC methods that check user credentials,
but pingbacks/trackbacks are anonymous and thus do not fall under that
check.
There are opportunities for the community to write plugins or better
documentation on how to block ping/trackback requests either at the PHP
level (e.g., by hooking the `xmlrpc_call` method and `die`ing for these
methods) or the web server/proxy level (e.g., nginx or Varnish). But just
disabling XML-RPC by default will not help with the DDOS issues.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21509#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list