Skip to Content
  • +31 653-919-302
Cafayate.Net
  • 0
  • 0
  • Sign in
  • Nederlands English (US) Español (AR)
  • Contact Us
  • Home
  • Blog
  • Jobs
  • Contact us
Cafayate.Net
  • 0
  • 0
    • Home
    • Blog
    • Jobs
    • Contact us
  • +31 653-919-302
  • Nederlands English (US) Español (AR)
  • Sign in
  • Contact Us

WordPress XML-RPC Pingback Vulnerability

  • All Blogs
  • Tech Blog
  • WordPress XML-RPC Pingback Vulnerability
  • March 5, 2021 by
    Administrator

    By now everyone has heard of XML Quadratic Blowup Attack vulnerability in wordpress.

    The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.

    XML-RPC is a Problem

    Something that bears mentioning here is the WordPress XML-RPC itself.

    Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.

    Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.

    In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.

    In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:

    Apache – Disable xmlrpc.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    <Files xmlrpc.php>
        Order Deny,Allow
        Deny from all
    </Files>

    For the Nginx crowd out there, you can use the following:

    Nginx – Disable xmlrpc.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    server {
        # stuff
        location = /xmlrpc.php {
            deny all;
        }
    }

    If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.

    in Tech Blog
    Hosting WordPress Site in LXC

    Designed for companies

    We are a team of passionate people whose goal is to improve everyone's life through disruptive products. We build great products to solve your business problems. Our products are designed for small to medium size companies willing to optimize their performance.

    Get in touch

    Plantexel
    Pedernera
    Salta Capital 
    Argenina

    • +31 653-919-302
    • [email protected]
    Follow us
    Copyright © Plantexel
    Nederlands | English (US) | Español (AR)