By now everyone has heard of XML Quadratic Blowup Attack vulnerability in wordpress.
The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.
XML-RPC is a Problem
Something that bears mentioning here is the WordPress XML-RPC itself.
Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.
Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.
In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.
In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:
Apache – Disable xmlrpc.php
|
1
2
3
4
5
6
7
8
9
|
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
|
For the Nginx crowd out there, you can use the following:
Nginx – Disable xmlrpc.php
|
1
2
3
4
5
6
7
8
9
10
11
|
server {
# stuff
location = /xmlrpc.php {
deny all;
}
}
|
If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.