[wp-trac] [WordPress Trac] #35532: Additional Security for XML-RPC to Prevent High Server Load - Specifically Pingbacks

WordPress Trac noreply at wordpress.org
Sat Apr 16 21:59:21 UTC 2016 

#35532: Additional Security for XML-RPC to Prevent High Server Load - Specifically
Pingbacks
------------------------------+------------------------------
 Reporter:  own3mall          |       Owner:
     Type:  enhancement       |      Status:  closed
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  Pings/Trackbacks  |     Version:  4.4.1
 Severity:  minor             |  Resolution:  wontfix
 Keywords:                    |     Focuses:
------------------------------+------------------------------
Changes (by dshanske):

 * status:  new => closed
 * resolution:   => wontfix
 * severity:  normal => minor


Comment:

 Denial of Service attacks are a problem for every software that accepts
 and actions requests.

 While I certainly think that the pingback and xml-rpc system in general
 could always use improvement, limiting xml-rpc requests to one per minute
 has the potential to reject legitimate traffic.

 We'd probably be better off queuing the requests to distribute load, but
 pingback does not cover this and that leads to a whole other discussion
 outside of the scope of the ticket.

 Rate limiting, if that is what one chooses to do, is best done at the
 server, not the WordPress level. The two settings noted in configuration
 are not meant to disable incoming pingbacks. One disables outgoing pings,
 the other covers new posts, not existing posts.

 As the recommendation impacts the experience and alternatives, including
 rate limiting at the WordPress level, could be added by plugin, I don't
 believe that the suggestion can be considered as it is not uncommon that a
 DOS Attack would come from a variety of different servers and thus the
 solution would not be workable.

 As I concur with the goal of reducing load, hope you will consider
 alternative suggestions in this area that would improve performance
 without compromising effectiveness.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35532#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list