It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file. Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.). Update: Check out the alternate method to whitelist specific IPs while protecting against threats.
About the Pingback Vulnerability
According to this article, there are four ways that WP‘s XML-RPC API (specifically, the pingback.ping method) could be abused by an attacker:
- Intel gathering — attacker may probe for specific ports in the target’s internal network
- Port scanning — attacker may port-scan hosts in the internal network
- DoS attacks — attacker may pingback via large number of sites for DoS attack
- Router hacking — attacker may reconfigure an internal router on the network
Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the pingback.ping method. No need to rehash everything here :)
Protect against WordPress Pingback Vulnerability
If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:
# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:
# protect xmlrpc
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>Alternate .htaccess method
Here is an alternate .htaccess technique for denying all access to xmlrpc.php:
# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:
# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 123.456.789
Allow from 321.654.987
</Files>Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.
Thanks to Yael K. Miller for bringing this to my attention.
22 Responses
ale – January 3, 2013 •
Excellent, thanks for the heads up!
Yael K. Miller – January 3, 2013 •
Thanks for writing this post.
There is a plugin Prevent XMLRPC that disables XMLRPC. But I know you prefer .htaccess solutions to plugin ones if possible. Plus, one of your methods allows white-listing which is a great option.
And I wouldn’t hold my breathe about an official WordPress fix. The issue was reported 6 years ago and Priority is set to “low.”
Jeff Starr – January 3, 2013 •
You’re welcome :)
Thanks for the tip on Prevent XMLRPC — I should’ve checked for a plugin, they’re useful for a lot of folks. As you mention, I prefer handling HTTP activity with .htaccess for better performance, which is beneficial during DoS attacks, aggressive scans, etc. For this particular threat, I think either is fine.
Yeh.. not holding my breath, but hopeful for a fix.
Noumaan – January 3, 2013 •
simple and neat trick. Thanks
janw.oostendorp – January 4, 2013 •
Don’t forget that the mobile apps also use the XMLRPC
Jeff Starr – January 4, 2013 •
Excellent point!
Daniel Carrero – January 4, 2013 •
Hi thanks for this tip
Just a question: why only delete or rename the file or put some header() in the first line on xmlrpc.php file?
Thanks again :)
Jeff Starr – January 4, 2013 •
Hi Daniel, yes that’s also an effective technique, but not mentioned in the article because it goes against the idea of “not hacking the WP core,” which tends to upset a few highly outspoken folks :)
Michael Clark – January 4, 2013 •
Is there ever a valid reason for a web browser to access a WordPress site’s xmlrpc.php file? Glancing through my server logs, I see many requests for it. Many give a referer from a page on the site itself. I guess pingbacks are valid, but it’s been a long time since I’ve gotten a non-spam pingback.
Vernessa Taylor – January 4, 2013 •
Just moved all my sites to a VPS and was ready to install latest version of WP when I came across convos about this vulnerability. Thanks for the .htaccess method of protection. Some of the alternatives were a bit involved.
Appreciate Yael K. Miller’s input on the plugin, too … Something I can share.
Mandy – January 15, 2013 •
I ve added the WordPress limit login attempts plugin and since than adding it I find that my wordpress is probed daily for username and pws along with other things like out of date themes. I believe simple user names and short pws will no longer do if you want hackers not to gain access to your WordPress blog.
Keith Davis – January 21, 2013 •
Vernessa T – I’m using the plugin.
Used it on a few sites, which means I can just remove it if the problem is ever sorted.
Roger – January 21, 2013 •
Likewise the .htaccess snippet can be removed anytime, and it’s better for site performance than using a plugin.
ian – January 21, 2013 •
Nice one ! I’m new to the WP world and any and all information is useful. Thanks
Yael K. Miller – January 25, 2013 •
Is this no longer necessary with WordPress 3.5.1?
Dave – February 4, 2013 •
+1 to Yael’s question. Did 3.5.1 release resolve this problem?
http://wordpress.org/news/2013/01/wordpress-3-5-1/
Jeff Starr – February 8, 2013 •
Yes it looks like they’ve fixed it! :)
Keith Davis – February 8, 2013
Cheers Jeff
Time to remove the plugin.
Isuru – February 1, 2013 •
When I’m checking “http://mysite.com/xmlrpc.php” I got this message, what is it mean? My XML-RPC not protected? XML-RPC server accepts POST requests only is a good sign for security?
Jeff Starr – February 8, 2013 •
That is the default/normal response for non-POST requests.. nothing to worry about (but make sure you’re running the latest version of WP).