Latest TweetsNew version of Disable Gutenberg includes options to disable for specific theme templates and/or post/page IDs. wordpress.org/plugins/disable-…
Perishable Press

Protection for WordPress Pingback Vulnerability

It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file.

Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.).
Update: Check out the alternate method to whitelist specific IPs while protecting against threats.

About the Pingback Vulnerability

According to this article, there are four ways that WP‘s XML-RPC API (specifically, the pingback.ping method) could be abused by an attacker:

  • Intel gathering — attacker may probe for specific ports in the target’s internal network
  • Port scanning — attacker may port-scan hosts in the internal network
  • DoS attacks — attacker may pingback via large number of sites for DoS attack
  • Router hacking — attacker may reconfigure an internal router on the network

Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the pingback.ping method. No need to rehash everything here :)

Protect against WordPress Pingback Vulnerability

If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:

# protect xmlrpc
<IfModule mod_alias.c>
	RedirectMatch 403 /xmlrpc.php
</IfModule>

Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:

# protect xmlrpc
<IfModule mod_alias.c>
	Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>

Alternate .htaccess method

Here is an alternate .htaccess technique for denying all access to xmlrpc.php:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
</Files>

Using this method, it’s possible to allow access to xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:

# protect xmlrpc
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
	Allow from 321.654.987
</Files>

Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.

For further discussion, check out my post at DigWP.com: The xmlrpc.php File and Site Security.

Thanks to Yael K. Miller for bringing this to my attention.

Jeff Starr
About the Author Jeff Starr = Creative thinker. Passionate about free and open Web.
Archives
23 responses
  1. Excellent, thanks for the heads up!

  2. Yael K. Miller January 3, 2013 @ 10:25 am

    Thanks for writing this post.

    There is a plugin Prevent XMLRPC that disables XMLRPC. But I know you prefer .htaccess solutions to plugin ones if possible. Plus, one of your methods allows white-listing which is a great option.

    And I wouldn’t hold my breathe about an official WordPress fix. The issue was reported 6 years ago and Priority is set to “low.”

    • Jeff Starr

      You’re welcome :)

      Thanks for the tip on Prevent XMLRPC — I should’ve checked for a plugin, they’re useful for a lot of folks. As you mention, I prefer handling HTTP activity with .htaccess for better performance, which is beneficial during DoS attacks, aggressive scans, etc. For this particular threat, I think either is fine.

      Yeh.. not holding my breath, but hopeful for a fix.

  3. simple and neat trick. Thanks

  4. janw.oostendorp January 4, 2013 @ 2:08 am

    Don’t forget that the mobile apps also use the XMLRPC

  5. Daniel Carrero January 4, 2013 @ 11:22 am

    Hi thanks for this tip
    Just a question: why only delete or rename the file or put some header() in the first line on xmlrpc.php file?
    Thanks again :)

    • Jeff Starr

      Hi Daniel, yes that’s also an effective technique, but not mentioned in the article because it goes against the idea of “not hacking the WP core,” which tends to upset a few highly outspoken folks :)

  6. Michael Clark January 4, 2013 @ 4:51 pm

    Is there ever a valid reason for a web browser to access a WordPress site’s xmlrpc.php file? Glancing through my server logs, I see many requests for it. Many give a referer from a page on the site itself. I guess pingbacks are valid, but it’s been a long time since I’ve gotten a non-spam pingback.

    Note: comment edited for clarity

  7. Vernessa Taylor January 4, 2013 @ 9:52 pm

    Just moved all my sites to a VPS and was ready to install latest version of WP when I came across convos about this vulnerability. Thanks for the .htaccess method of protection. Some of the alternatives were a bit involved.

    Appreciate Yael K. Miller’s input on the plugin, too … Something I can share.

  8. I ve added the WordPress limit login attempts plugin and since than adding it I find that my wordpress is probed daily for username and pws along with other things like out of date themes. I believe simple user names and short pws will no longer do if you want hackers not to gain access to your WordPress blog.

  9. Nice one ! I’m new to the WP world and any and all information is useful. Thanks

  10. Keith Davis January 21, 2013 @ 1:34 pm

    Vernessa T – I’m using the plugin.
    Used it on a few sites, which means I can just remove it if the problem is ever sorted.

    • Likewise the .htaccess snippet can be removed anytime, and it’s better for site performance than using a plugin.

  11. Is this no longer necessary with WordPress 3.5.1?

  12. When I’m checking “http://mysite.com/xmlrpc.php” I got this message, what is it mean? My XML-RPC not protected? XML-RPC server accepts POST requests only is a good sign for security?

    • Jeff Starr

      That is the default/normal response for non-POST requests.. nothing to worry about (but make sure you’re running the latest version of WP).

[ Comments are closed for this post ]