Protection for WordPress Pingback Vulnerability
It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via
xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the
About the Pingback Vulnerability
According to this article, there are four ways that WP‘s XML-RPC API (specifically, the
pingback.ping method) could be abused by an attacker:
- Intel gathering — attacker may probe for specific ports in the target’s internal network
- Port scanning — attacker may port-scan hosts in the internal network
- DoS attacks — attacker may pingback via large number of sites for DoS attack
- Router hacking — attacker may reconfigure an internal router on the network
Again, this is just a summary for reference, see the original article for more details on these various vulnerabilities as well as the
pingback.ping method. No need to rehash everything here :)
Protect against WordPress Pingback Vulnerability
If you know you aren’t using the XML-RPC functionality for anything, and would like to protect against any vulnerabilities, you can lock things down with a simple slice of .htaccess:
# protect xmlrpc <IfModule mod_alias.c> RedirectMatch 403 /xmlrpc.php </IfModule>
Include that after any other rules in your site’s root .htaccess file and you should be good to go. To test that it’s working, try accessing the
xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”. Tip: to redirect requests for
xmlrpc.php to a custom page, modify the
RedirectMatch like so:
# protect xmlrpc <IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://example.com/custom-page.php </IfModule>
Alternate .htaccess method
Here is an alternate .htaccess technique for denying all access to
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
Using this method, it’s possible to allow access to
xmlrpc.php for specific IP addresses. For example, if you know your Blogger and/or MovableType IP(s), you can whitelist them by adding an “Allow” line for each, like so:
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all Allow from 123.456.789 Allow from 321.654.987 </Files>
Note: if you use one of these .htaccess methods, keep in mind that it may be removed once the reported vulnerability is secured in a future version of WordPress.
For further discussion, check out my post at DigWP.com: The xmlrpc.php File and Site Security.
Thanks to Yael K. Miller for bringing this to my attention.
Excellent, thanks for the heads up!
Thanks for writing this post.
There is a plugin Prevent XMLRPC that disables XMLRPC. But I know you prefer .htaccess solutions to plugin ones if possible. Plus, one of your methods allows white-listing which is a great option.
And I wouldn’t hold my breathe about an official WordPress fix. The issue was reported 6 years ago and Priority is set to “low.”
You’re welcome :)
Thanks for the tip on Prevent XMLRPC — I should’ve checked for a plugin, they’re useful for a lot of folks. As you mention, I prefer handling HTTP activity with .htaccess for better performance, which is beneficial during DoS attacks, aggressive scans, etc. For this particular threat, I think either is fine.
Yeh.. not holding my breath, but hopeful for a fix.
simple and neat trick. Thanks
Don’t forget that the mobile apps also use the XMLRPC
Hi thanks for this tip
Just a question: why only delete or rename the file or put some header() in the first line on xmlrpc.php file?
Thanks again :)
Hi Daniel, yes that’s also an effective technique, but not mentioned in the article because it goes against the idea of “not hacking the WP core,” which tends to upset a few highly outspoken folks :)
Is there ever a valid reason for a web browser to access a WordPress site’s xmlrpc.php file? Glancing through my server logs, I see many requests for it. Many give a referer from a page on the site itself. I guess pingbacks are valid, but it’s been a long time since I’ve gotten a non-spam pingback.
Note: comment edited for clarity
Just moved all my sites to a VPS and was ready to install latest version of WP when I came across convos about this vulnerability. Thanks for the .htaccess method of protection. Some of the alternatives were a bit involved.
Appreciate Yael K. Miller’s input on the plugin, too … Something I can share.
I ve added the WordPress limit login attempts plugin and since than adding it I find that my wordpress is probed daily for username and pws along with other things like out of date themes. I believe simple user names and short pws will no longer do if you want hackers not to gain access to your WordPress blog.
Nice one ! I’m new to the WP world and any and all information is useful. Thanks
Vernessa T – I’m using the plugin.
Used it on a few sites, which means I can just remove it if the problem is ever sorted.
Likewise the .htaccess snippet can be removed anytime, and it’s better for site performance than using a plugin.
Is this no longer necessary with WordPress 3.5.1?
+1 to Yael’s question. Did 3.5.1 release resolve this problem?
Yes it looks like they’ve fixed it! :)
Time to remove the plugin.
When I’m checking “http://mysite.com/xmlrpc.php” I got this message, what is it mean? My XML-RPC not protected? XML-RPC server accepts POST requests only is a good sign for security?
That is the default/normal response for non-POST requests.. nothing to worry about (but make sure you’re running the latest version of WP).