[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
noreply at wordpress.org
Sun Oct 26 19:58:48 UTC 2014
#21509: Enable XML-RPC by default and remove the option
-----------------------------+---------------------
Reporter: nacin | Owner: nacin
Type: feature request | Status: closed
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version: 4.0
Severity: major | Resolution: fixed
Keywords: 2nd-opinion | Focuses:
-----------------------------+---------------------
Comment (by andrebron):
Replying to [comment:19 maxcutler]:
> Replying to [comment:18 andrebron]:
> > Hi all. More recently there have been concerns about how xml-rpc.php
is widely abused for DDOS (also for brute force attacks, but really gonna
focus of the DDOS). A perfectly secured wordpress site with xml-rpc.php
enabled can be easily abused to participate in DDOS attacks.
>
> Pingbacks, despite living in the XML-RPC API, have never respected the
enabled/disabled option for XML-RPC in the admin.
>
> That option only applies to XML-RPC methods that check user credentials,
but pingbacks/trackbacks are anonymous and thus do not fall under that
check.
>
> There are opportunities for the community to write plugins or better
documentation on how to block ping/trackback requests either at the PHP
level (e.g., by hooking the `xmlrpc_call` action and `die`ing for these
methods) or the web server/proxy level (e.g., nginx or Varnish). But just
disabling XML-RPC by default will not help with the DDOS issues.
Another thought it entirely removing xml-rpc.php from core and only have
it installed when required. Not sure how to implement that but it's worth
considering since wp DDOS exploitability and reputation is somewhat on the
line.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21509#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list