facebookinstagrammailtwitter

verwebbt

WordPress XML-RPC flooding

Dear WordPress-User,

maybe you know about XML-RPC, or at least you know about Trackbacks and Pingbacks, as WordPress calls them. And maybe you noticed that you don’t use them at all.

Sadly XML-RPC has a big flaw: you can get attacked; flooded with POST requests to xmlrpc.php, one request every few milliseconds for a few hours. Your page gets slower until your webserver raises the white flag. You’re being DoS’ed.

Do yourself a favor. Block all access to /xmlrpc.php and be happy again. This will cause trouble with some services like the WordPress Smartphone App, but in my situation it’s worth it. I don’t use the App at all and was being attacked multiple times a day.

Most likely your php is processed by Apache. Add this to your .htaccess file to deny access to XML-RPC.


<Files "xmlrpc.php">
    Order Allow,Deny
    deny from all
</Files>

If your php is processed by nginx, you need to add this to your nginx config:


location = /xmlrpc.php {
    deny all;
    access_log off;
    error_log off;
}

To test this, simply try to request yoursite.com/xmlrpc.php. You should get a 403 Forbidden.

Note from Future-Timo: WordPress‘ Jetpack seems to use xmlrpc.php for communication. Currently I’m trying to just disable pingback using the following snippet in my functions.php – I’m not completely convinced that this will scare off attack-bots.


function remove_xmlrpc_pingback_ping( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
}
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

Note from Future-Future-Timo: as I suspected this will not solve the problem. I went back and deactivated XML-RPC completely.

In der Vollendung meines Plans komplett auf timomeh zu wechseln, besitze ich nun timomeh.de samt neuem Blog. Ich werde dort keine Business-Development-Arikel verfassen sondern auf einer persönlichen Basis bleiben. Wie ich mich kenne möchte ich früher oder später wieder ein bisschen über Development schreiben, deshalb bleibt verwebbt.de weiterhin aktiv.

Wer sich übrigens dafür interessiert, wie das WordPress Theme für timomeh.de in Code aussieht, kann dies auf GitHub sehen. Man sieht ein bisschen gulp-Action, ich habe zum Spaß alle meta-Tags nicht über ein Plugin erstellen lassen und laut PageSpeed Insights die Seite so weit optimiert, wie es mir möglich ist.