WordPress.org

Ready to get started?Download WordPress

Forums

Some security concerns (3 posts)

  1. pete_398
    Member
    Posted 3 years ago #

    Just a small number of security concerns I have about WordPress (new user).

    Every WP page has a set of links up the top, and accessing some of those links concerns me.

    1. http://example.com/xmlrpc.php?rsd

    which displays ...

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Notice the HTTPS in all the url's. I do have a HTTPS cert/connection, BUT I don't want the public to know about it, or to use it. It is for secure purposes. Now, take a look in xmlrpc.php

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Notice "site_url" which is clearly defined in the database and therefore WP config settings as HTTP, not HTTPS . The site_url must be overwritten by the SSL admin setting.

    Clearly a bug.

    2. http://example.com/wp-includes/wlwmanifest.xml

    displays the following ..

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Why display /wp-admin/ links ? This is a security concern for us, as comments are "off" and also are registrations, so any reference/link to url/uri that are not allowed by login/access, should NOT be displayed to the general public.

    Sure, people can find out by looking at a WP archive, and checking a few files, however bots/crawlesr will now try to access these links, and I have to go and add a mod-rewrite of change file perms,etc,etc.

    Not very clever. :(

  2. Dion Hulse
    WordPress Dev
    Posted 3 years ago #

    1. http://example.com/xmlrpc.php?rsd
    The site_url must be overwritten by the SSL admin setting.

    If thats the case, then it sounds like a bug for sure.

    Note, that people can find out if you have a SSL cert by just loading the SSL url.. so it's really not much of an issue..

    Why display /wp-admin/ links ?

    Knowing the path isnt really a security issue, WordPress sites, along with most other CMS's have very unique signatures, give me a url and i'll tell you if it's WordPress site, what version it's running, the admin location, etc. If i can do it, a Bot certainly can too (and do).

    The wlwmanifest.xml file is added for Windows Live Writer, ie. for you, as a publisher, to utilise. You can remove the manifest file from the header if you wish by disablign it with a plugin, or with this command in your themes functions.php:
    remove_action( 'wp_head', 'wlwmanifest_link');

    but to re-iterate, it's not really a security issue at all.

  3. pete_398
    Member
    Posted 3 years ago #

    Note, that people can find out if you have a SSL cert by just loading the SSL url.. so it's really not much of an issue..

    Yes, anyone can 'try' any protocol they like, whether they are authorised or not. By the very nature of any encryption, it creates more load on the server. Reducing that server load is important, so it is an issue if one is concerned about server load.

    The wlwmanifest.xml file is added for Windows Live Writer, ie. for you, as a publisher, to utilise. You can remove the manifest file from the header if you wish by disablign it with a plugin, or with this command in your themes functions.php:
    remove_action( 'wp_head', 'wlwmanifest_link');

    Thanks for the advice on that XML file. Windows I don't use for WordPress. I guess I can just remove the XML file, assuming it's not used for anything else. But a cleaner method may be to modify /wp-includes/general-template.php

    function rsd_link() {
    	echo '<link rel="EditURI" type="application/rsd+xml" title="RSD" href="' . get_bloginfo('wpurl') . "/xmlrpc.php?rsd\" />\n";
    }

    Either way, it will require re-applying mods when a new version of WP appears.

    but to re-iterate, it's not really a security issue at all.

    If we don't want to supply links to the admin section of the website, then it becomes a security issue when WordPress supplies those links.

    Sure, people can find out 'where' admin is, and attempt to access files (we get many attempted hacks each day, all unsuccessful), but we would rather make the site more secure, and then if a file or folder is accessed that shouldn't be, the culprit gets logged and reported. :D

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.