xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!

 

Did you know your website could be used to attack other websites?

Or, has your website displayed this message:

“Resource Limit Is Reached. The website is temporarily
unable to service your request as it exceeded
resource limit. Please try again later”

Or, worst:

“500 Internal Server Error”

 

If so, XML-RPC Support or specifically your WordPress xmlrpc.php file may very well have been the reason why.

[TBS_ALERT heading=”What is this article about?”]My goal in writing this article is to clarify what XML-RPC protocol is about, share a bit of history, and provide some quick tips for enabling or disabling XML-RPC Support.

Update, August 2014:
The WordPres 3.9.2 security update was intended to minimize the impact of excessive connections to the xmlrpc.php script.[/TBS_ALERT]
Here’s the rub, XML-RPC Support, a.k.a., remote publishing, was “OFF” by default in versions of WordPress prior to 3.5. In December 2012, the WordPress folks, believing they had fixed the XML-RPC security issues from earlier that year, forced the default XML-RPC protocol setting to “ON.” And, for good measure then removed the option to turn it off within the WordPress dashboard. Zoinks!map :: {skin:<g class=”gr_ gr_85 gr-alert gr_spell gr_disable_anim_appear undefined ContextualSpelling ins-del multiReplace” id=”85″ data-gr-id=”85″>’gray</g>’, animate:true, width:’60’, volume:0.5, autoplay:false, loop:false, showVolumeLevel:false, showTime:false, showRew:false, downloadable:false, <g class=”gr_ gr_86 gr-alert gr_spell gr_disable_anim_appear undefined ContextualSpelling ins-del multiReplace” id=”86″ data-gr-id=”86″>downloadablesecurity</g>:false, id3: false}

Then, later in 2013, distributed denial of service attacks using the xmlrpc mechanism were confirmed again by Incapsula, WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks.

Without going into a long treatise on how or why the XML-RPC protocol can be used and abused, let’s talk about whether you need to leave it “ON” (or OFF!).

• Do you use any of the applications listed on this WordPress Codex page, use Jetpack, or do you care about pingbacks and trackbacks?

If you are not sure what pingbacks or trackbacks are about there are lot of great articles written on this subject. I recommend trying a Google search for the phrase, “why should I care about pingbacks.”

 

I couldn’t care less about XML-RPC protocol or pingbacks or trackbacks, or Jetpack

• Then install these plugins: Disable XML-RPC and if not using a CDN like Cloudflare, install Bad Behavior as well.

If you would prefer to not use plugins and wish to kill the loading of the xmlrpc.php file completely, just add this snippet of text to your .htaccess file:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

This null routing method will use less server resources than removing or denying access to the script; which would result in a 404 “file not found” request and additional resources respectively.

 

I loves my XML-RPC protocol, pingbacks and trackbacks, or Jetpack

For those of us who find Jetpack indispensable, and fully disabling xmlrpc.php is not an option, try one of these two options:

• Disable XML-RPC plugin. The Disable XML-RPC plugin was written to disable the XML-RPC API, but does not disable the trackbacks and pingbacks required by Jetpack and other mobile applications.
• Remove XMLRPC Pingback Ping should likewise allow JetPack and WordPress Mobile Applications to operate without error.

Alternately, to disable only pingbacks and trackbacks, while leaving the XML-RPC protocol operational:

1. Delete the wp-trackback.php file:
   /public_html/wp-trackback.php
2. Then disallow notifications by going to
   http://your_site.com/wp-admin/options-discussion.php

And uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)“

That should give you back much of the XML-RPC system flavor, without the bad pingback taste.

Alternatively, if Jetpack is your friend (today), instead of denying all access to xmlrpc.php, you can just as easily whitelist the JetPack IP addresses, while denying the rest. This way you’ll retain your Jetpack mojo, while serving up a dead page to begger bots:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 192.0.64.0/18
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

 *If, for example, you are publishing updates from your iPhone using your local WiFi connection you would enter in your local Internet connection IP address to allow access. Hint: Google “What is my IP”

 

And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637

• How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained
• Protecting WordPress Against Brute Force and Denial of Service Attacks
• WordPress Security Plugins Revealed