xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!

Did you know your website could be used to attack other websites?

Or, has your website displayed this message:

“Resource Limit Is Reached. The website is temporarily
unable to service your request as it 
exceeded
resource limit. Please try again later”

Or, worst:

“500 Internal Server Error”

 

If so, XML-RPC Support or specifically your WordPress xmlrpc.php file may very well have been the reason why. 

What is this article about?

My goal in writing this article is to clarify what XML-RPC protocol is about, share a bit of history, and provide some quick tips for enabling or disabling XML-RPC Support.

Update, August, 2014:
The WordPres 3.9.2 security update was intended to minimize the impact of excessive connections to the xmlrpc.php script.

 
Here’s the rub, XML-RPC Support, a.k.a., remote publishing, was “OFF” by default in versions of WordPress prior to 3.5.  xmlrpc.phpIn December 2012, the WordPress folks, believing they had fixed the XML-RPC security issues from earlier that year, forced the default XML-RPC protocol setting to “ON.” And, for good measure then removed the option to turn it off within the WordPress dashboard. Zoinks!

Then, later in 2013, distributed denial of service attacks using the xmlrpc mechanism were confirmed again by Incapsula, WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks.

Without going into a long treatise on how or why the XML-RPC protocol can be used and abused, let’s talk about whether you need to leave it “ON” (or OFF!).

If you are not sure what pingbacks or trackbacks are about there are lot of great articles written on this subject. I recommend trying a Google search for the phrase, “why should I care about pingbacks.”

 

I couldn’t care less about XML-RPC protocol or pingbacks or trackbacks, or Jetpack

If you would prefer to not use plugins and wish to kill the loading of the xmlrpc.php file completely, just add this snippet of text to your .htaccess file:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

This null routing method will use less server resources than removing or denying access to the script; which would result in a 404 “file not found” request and additional resources respectively.

 

I loves my XML-RPC protocol, pingbacks and trackbacks, or Jetpack

For those of us who find Jetpack indispensable, and fully disabling xmlrpc.php is not an option, try one of these two options:

  • Disable XML-RPC plugin. The Disable XML-RPC plugin was written to disable the XML-RPC API, but does not disable the trackbacks and pingbacks required by Jetpack and other mobile applications.
  • Remove XMLRPC Pingback Ping should likewise allow JetPack and WordPress Mobile Applications to operate without error.

Alternately, to disable only pingbacks and trackbacks, while leaving the XML-RPC protocol operational:

  1. Delete the wp-trackback.php file:
    /public_html/wp-trackback.php
  2. Then disallow notifications by going to

    http://your_site.com/wp-admin/options-discussion.php

And uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)

That should give you back much of the XML-RPC system flavor, without the bad pingback taste.

Alternatively, if Jetpack is not your friend (today), instead of denying all access to xmlrpc.php, you can just as easily whitelist the IP addresses you wish to allow access to your xmlrpc.php file. This way you’ll retain your mobile publishing options while blocking those bots like winter in Chicago:


<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
</Files>

 *If, for example, you are publishing updates from your iPhone using your local WiFi connection you would enter in your local Internet connection IP address to allow access. Hint: Google “What is my IP”

 

And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637

 

 

HackGuard.com | Managed WordPress Update Service

 

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>