Protection for WordPress Pingback Vulnerability

.htaccess made easy

It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file. Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.). Update: Check out the alternate method to whitelist specific IPs while protecting against threats.

About the Pingback Vulnerability

According to this article, there are four ways that WP‘s XML-RPC API (specifically, the pingback.ping method) could be abused by an attacker:

  • Intel gathering — attacker may probe for specific ports in the target’s internal network
  • Port scanning — attacker may port-scan hosts in the internal network
  • DoS attacks — attacker may pingback via large number of sites for DoS attack
  • Router hacking — attacker may reconfigure an internal router on the network

Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the pingback.ping method. No need to rehash everything here :)

Protect against WordPress Pingback Vulnerability

If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:

# protect xmlrpc
<IfModule mod_alias.c>
	RedirectMatch 403 /xmlrpc.php
</IfModule>

Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:

# protect xmlrpc
<IfModule mod_alias.c>
	Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>

Alternate .htaccess method

Here is an alternate .htaccess technique for denying all access to xmlrpc.php:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
</Files>

Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
	Allow from 321.654.987
</Files>

Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.

Thanks to Yael K. Miller for bringing this to my attention.