It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file. Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.). Update: Check out the alternate method to whitelist specific IPs while protecting against threats.
About the Pingback Vulnerability
According to this article, there are four ways that WP‘s XML-RPC API (specifically, the pingback.ping method) could be abused by an attacker:
- Intel gathering — attacker may probe for specific ports in the target’s internal network
- Port scanning — attacker may port-scan hosts in the internal network
- DoS attacks — attacker may pingback via large number of sites for DoS attack
- Router hacking — attacker may reconfigure an internal router on the network
Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the pingback.ping method. No need to rehash everything here :)
Protect against WordPress Pingback Vulnerability
If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:
# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:
# protect xmlrpc
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>Alternate .htaccess method
Here is an alternate .htaccess technique for denying all access to xmlrpc.php:
# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:
# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 123.456.789
Allow from 321.654.987
</Files>Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.
Thanks to Yael K. Miller for bringing this to my attention.
22 Responses
Alok Tiwari – February 10, 2013 •
Just Shared..
http://www.pentestgeek.com/2013/01/03/wordpress-pingback-portscanner-metasploit-module/
pg – May 29, 2013 •
Currently, several of my blogs are being hit with xmlrpc DDOS attacks. I’ve implemented Fail2Ban-fu to counter these attacks.
For Fail2Ban Fans:
/etc/fail2ban/filter.d/wp-xmlrpc.conf# Fail2Ban configuration file[INCLUDES]# Read common prefixes. If any customizations available -- read them from# common.localbefore = common.conf[Definition]_daemon = wp-xmlrpc# Option: failregex# Notes.: regex to match repeated xmlrpc attacks. The# host must be matched by a group named "host". The tag "" can# be used for standard IP/hostname matching and is only an alias for# (?:::f{4,6}:)?(?P[\w\-.^_]+)# Values: TEXT#failregex = \s.*\s.POST /xmlrpc.php HTTP/1.1"*.\s.*# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =and /etc/fail2ban/jail.local[wp-xmlrpc]enabled = truefilter = wp-xmlrpcaction = iptables-multiport[name=wp-xmlrpc, port="80,443", protocol=tcp]sendmail-whois[name=wp-xmlrpc, dest=vacantserver@vacantserver.net]logpath = /home/*/logs/access_logmaxretry = 10findtime = 60bantime = 3600