Ir al contenido
  • +31 653-919-302
Cafayate.Net
  • 0
  • 0
  • Inicia sesión
  • Nederlands English (US) Español (AR)
  • Contáctanos
  • Inicio
  • Blog
  • Empleos
  • Contáctanos
Cafayate.Net
  • 0
  • 0
    • Inicio
    • Blog
    • Empleos
    • Contáctanos
  • +31 653-919-302
  • Nederlands English (US) Español (AR)
  • Inicia sesión
  • Contáctanos

WordPress XML-RPC Pingback Vulnerability

  • Todos los blogs
  • Tech Blog
  • WordPress XML-RPC Pingback Vulnerability
  • 5 de marzo de 2021 por
    Administrator

    By now everyone has heard of XML Quadratic Blowup Attack vulnerability in wordpress.

    The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.

    XML-RPC is a Problem

    Something that bears mentioning here is the WordPress XML-RPC itself.

    Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.

    Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.

    In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.

    In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:

    Apache – Disable xmlrpc.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    <Files xmlrpc.php>
        Order Deny,Allow
        Deny from all
    </Files>

    For the Nginx crowd out there, you can use the following:

    Nginx – Disable xmlrpc.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    server {
        # stuff
        location = /xmlrpc.php {
            deny all;
        }
    }

    If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.

    en Tech Blog
    Hosting WordPress Site in LXC

    Diseñado para empresas

    Somos un equipo de personas apasionadas cuyo objetivo es mejorar la vida de todos a través de productos revolucionarios. Creamos grandes productos para resolver sus problemas empresariales. Nuestros productos están diseñados para pequeñas y medianas empresas dispuestas a optimizar su rendimiento.

    Contáctenos

    Plantexel
    Pedernera
    Salta Capital 
    Argenina

    • +31 653-919-302
    • [email protected]
    Síganos
    Copyright © Plantexel
    Nederlands | English (US) | Español (AR)