WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Wordfence and XML-RPC (32 posts)

  1. samaralife
    Member
    Posted 4 months ago #

    After upgrading Wordfence plugin I lost ability to post via Windows Live Writer. I mean, I only figured this out accidentally recalling that I did an upgrade this morning.

    New version of the plugin disables XML-RPC that is required for remote publishing. So, if you are using Windows Live Writer or other tools like that, go to Wordfence settings and untick the "Disable XML-RPC" option.

    https://wordpress.org/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Correct. If we get enough feedback we may consider removing the disable by default and just keeping it as an option.

    Regards,

    Mark.

  3. Snaxalig
    Member
    Posted 4 months ago #

    Ooh, I'm glad I found this post because I've already spent way too much time thinking about why I could no longer create new blog entries from within Adobe Lightroom - as I always have been able to before.

    Thanks to this post, I have switched on XML in the Wordfence Options so that everything works as it should again. The information on this new update should be somewhat clearer... ;)

  4. David Miller
    Member
    Posted 4 months ago #

    This tripped me up too. At the very least there should have been some comment that XML-RPC would be disabled by default in the latest version and perhaps a note that if users were having trouble using external apps that setting might fix the problem.

  5. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Sorry about that guys, we'll probably modify the next version to leave XMLRPC enabled by default, although it's too late for you now. Thanks for the feedback and sorry for any inconvenience.

    Regards,

    Mark.

  6. Sunidaze
    Member
    Posted 4 months ago #

    I'll accept your apology for the inconvenience. I spent a lot of time trying to resolve my issue of not being able to post remotely with one of my remote posting programs.

    It didn't occur to me that Wordfence may have been causing the issue or I would have come to this support forum first.

    After hours upon hours of frustration of trying to figure it out myself I asked the tech support from my VPS host to look into my issue for me.

    Wordfence is the only plugin that shows such a recent modification time. I recommend disabling the Wordfence plugin and attempting to make another post via the XMLRPC API. If the post works with this plugin disabled, then we can safely assume Wordfence is causing the problem.

    All is well that ends well. I came here to determine if I would need to delete Wordfence completely until the issue was resolved and I'm happy to see it is as simple as unticking an option.

  7. Andrew Nacin
    Lead Developer
    Posted 4 months ago #

    This is unfortunately an improper fix and has no tangible benefit for WordPress users.

    The changelog says "Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack." The problem is this "attack" affects pingbacks. But the fix actually disables everything in XML-RPC except pingbacks, thus breaking mobile apps and anything else relying on XML-RPC, but allowing pingbacks through.

    If you want to disable pingbacks, then disable pingbacks. Don't do this. Or don't do anything, as these attacks are not particularly effective and more recent versions of WordPress and Akismet both pass along better information when verifying pingbacks; and Akismet additionally detects abuse.

  8. Daniel Jalkut (Red Sweater)
    Member
    Posted 4 months ago #

    Andrew Nacin's analysis rings true to me. But In the future with any changes that alter the advertised behavior of a standard WordPress installation, you could get the best of both words, so to speak, by making a point of preserving existing behavior *for updated installations*. I don't think it would be too bad to default to whatever you think is best for new installations, because those users will be able to strongly correlate installing your plugin with whatever the change in behavior is.

  9. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Andrew: I've filed a bug against this and we'll investigate.

    Regards,

    Mark.

  10. Melpomene
    Member
    Posted 4 months ago #

    Would appear that it's also prevented the latest version of Woo Commerce updating.

    My host told me

    "you installed wordfence, and we are not responsible for bad coding from wordfence and you need to fix that on that plugin you installed
    check for WordFence plugin settings and try to disable the ‘Disable XMLRPC’ feature of the plugin."

    Options - More Options - and unchecking the XMLRPC box

    has seemingly done the trick

  11. Melpomene
    Member
    Posted 4 months ago #

    Actually on reflection, it wasn't necessary to include the quote from my hosting company, and I don't see that it adds anything to the above post other than to provoke.

    The observation that the Woo Commerce plug in is affected however is valid, as seems to be the instruction for resolving (in my case) but if someone could remove the unecessary quoted bit that serves no useful purpose I'd be grateful (I have tried to find a moderator contact but have so far failed)

    Thanks

  12. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Hi all,

    We've yanked the feature. I've just released Wordfence 5.0.3 and the only difference is that we've completely removed the ability to disable XML-RPC.

    I've also put up a blog entry here explaining what we're doing to prevent this from happening in future:

    http://www.wordfence.com/blog/2014/04/removing-the-ability-to-disable-xml-rpc-in-emergency-release-5-0-3/

    In short: We screwed up. We're sorry. Clearly our release process and quality assurance isn't keeping up with the growth in Wordfence's user base and the sites that depend on us. So we need to fix this internally and I can assure you we're going to improve the process.

    Thanks to everyone including Andrew Nacin and all posters above who weighed in on this.

    Regards,

    Mark Maunder.

  13. samaralife
    Member
    Posted 4 months ago #

    Hi Mark,

    Thank you for your active participation in the discussion and quick response! Things happen. I guess we're all glad that this "bug" didn't ruin our websites, mess with the tables or files, and just caused a little delay to figure out what happened.

    Regards,
    Andrey

  14. Melpomene
    Member
    Posted 4 months ago #

    Am I reading this wrong Mark?

    "We've yanked the feature. I've just released Wordfence 5.0.3 and the only difference is that we've completely removed the ability to disable XML-RPC."

    Surely it was the fact that we could to disable XML-RPC that allowed us to install the update (Woo in my case, as I operate a Woo theme). If your update removes this capacity, won't the issue return?

  15. cegomez
    Member
    Posted 4 months ago #

    Sorry?!?!?

    I use this feature and I know what that it means, but if I update to 5.0.3 I loose even the possibility of disabling XML-RPC with your plugin and must disable it by hand or search for another plugin.

    Please put the option back, disabled if you want, but I think it's very useful to leave the option.

  16. Marcelo Pedra
    Member
    Posted 4 months ago #

    @Andrew Nacin:
    Then having Akismet active and up to date is ENOGUH to be protected from this kind of DDoS?

  17. Marcelo Pedra
    Member
    Posted 4 months ago #

    @Wordfence:
    The option to disable the feature should come back, DISBLE BY DEFAULT, and with enough information to people. There are some cases in which I want to completely isolate and shutdown remote connections to a website and this is useful.

    In example, iThemes Security released an update some days ago where they allow you to 1) keep it ON (XMLRPC ON and untouched by default), 2) soft turn off by using the native WP filter, and 3) hard block over xmlrpc.php via htaccess. You should do the same.

  18. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Hi Guys,

    We need to gather more feedback and examine what tangible security benefit it offers and if there are other alternatives that may provide larger security benefits. Thanks for your input.

    Regards,

    Mark.

  19. lizardwebs
    Member
    Posted 4 months ago #

    Hey Guys - love the features - however, I think with this last change (5.0.3) something may have gone awry. Specificall with the XML-RPC rollback. I also use a remote posting solution, and had spotted that XML-RPC entry pretty quickly after upgrading so disabled it on a few sites (disabled the disabling of XML-RPC to be exact - thus leaving it enabled where I needed it). Just did the update to 5.0.3 and now my sites that had been working with the above settings now seem to be disabling the XML-RPC completely. No option to re-enable, disable, etc. Haven't gone hunting through the plugin code for solutions yet, but... Any ideas? I have several sites that are now all reacting the same.

  20. Marcelo Pedra
    Member
    Posted 4 months ago #

    @lizardwebs: I added iThemes Security plugin, which is a good complement to WordFence and in fact provides the options to Disable XML RPC if you want. And XML RPC is on by default. I also use iThemes' plugin to enable hidden login, a feature that is not present in WordFence, but I would be willing to abandon iThemes if WordFence implements that.

  21. lizardwebs
    Member
    Posted 4 months ago #

    Thank Marcelo - the problem though is that I enabled the xmlrpc in a number of sites so I could use the remote posting software. And after the 5.0.3 update, my remote posting application cannot contact those sites. And I no longer have the option in WordFence of turning it on or off. It's just flat out off. Verified it via test at http://xmlrpc.eritreo.it

  22. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    @lizardwebs: Sounds like you have some other issue. Here's the actual code change that completely disables the feature:

    https://plugins.trac.wordpress.org/changeset/891023/wordfence/trunk/lib/wordfenceClass.php?old=888830&old_path=wordfence%2Ftrunk%2Flib%2FwordfenceClass.php

    Here's the full list of changes. Scroll past the list of files to see the actual diff:

    https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=891023%40wordfence&old=888856%40wordfence&sfp_email=&sfph_mail=

    Even if you don't understand PHP, it's pretty obvious what we've done here. We've removed the code that:

    1. Checks to see if the user has chosen to disable XML-RPC.

    2. Plugs into the xmlrpc_enabled filter to actually disable XML-RPC.

    With that code no longer present, there's no way that we can disable XML-RPC. So you probably have some other issue with your site.

    Regards,

    Mark.

  23. lizardwebs
    Member
    Posted 4 months ago #

    Thanks for the feedback @wordfence! I'll look at it - I stay on top of updates and it may be some other plugin. It hit 14 of my sites though that I use this software on and it seemed like the logical direction to look after the 5.0.3 - will keep on hunting for the issue! Thanks - LOVE FALCON!

  24. Marcelo Pedra
    Member
    Posted 4 months ago #

    @lizardwebs: I have XML RPC allowed in iThemes and not covered now by Wordfence, and http://xmlrpc.eritreo.it/ says XML RPC is enabled in my sites... do you use any other plugin or patch that you can remember?
    Maybe the Disable XMLRPC plugin? maybe some htaccess patch? Check it out.

    BTW, these are the iThemes options for XML RPC. something like this should use WordFence:
    https://www.dropbox.com/s/xhi5brfyerzul1i/xmlrpc%20by%20ithemes.jpg

  25. Andrew Nacin
    Lead Developer
    Posted 4 months ago #

    There is really no valid reason to disable XML-RPC. It is a set of remote APIs in WordPress that require authentication with a username and password, same as the dashboard.

    If you did want to disable XML-RPC, then there are other plugins that will do it. Preferences have a cost. Having this plugin will not slow down your site in any way, will never need to be updated (it's one line of code), and doesn't even have any UI. Just activate or deactivate.

  26. Andrew Nacin
    Lead Developer
    Posted 4 months ago #

    To answer other questions: If you have Akismet 2.6.0, then yes, your site will be prevented from participating in "distributed denial of service" situations they have identified. Note these have been fairly minor in nature and do not actually affect your site; they only had the potential to affect other sites. It was also a very weak attack — there are much easier and more effective ways to "DDoS" a site. The reason why hackers were using it is because it "cloaked" the person behind it. So, Akismet 2.6.0 and WordPress 3.8.2 both included code to pass along information about who requested the pingback (by forwarding along their IP address) which makes this easier to be stopped at the network and host level and removes the "cloaked" aspect.

  27. lizardwebs
    Member
    Posted 4 months ago #

    @marcelo - Still looking at it - disabled all plugins, reinstalled WP, switched to default theme - still issues. Somehow, when all this is done, I'm going to end up feeling stupid for missing some small little thing I have no doubt when I find it... Going to take this offline from here though. This doesn't seem to have anything to do with WordFence and I don't want to waste their area chasing down rabbit holes LOL. thanks for the input all!

  28. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    @lizardwebs If you do find it give us an update just for info. Might be interesting to know what the cause was.

  29. Marcelo Pedra
    Member
    Posted 4 months ago #

    @Andrew:
    Thanks for the input regarding Akismet. From what you said, I still have a doubt: Akismet will STOP the intents? or it simply will pass the real IP along with the request so the other admin is able to block that IP?
    In the other hand, and if I understood correctly how the comments are managed, what if I set the comments to require and administrator to approve them? will the site still be able to be abused?

  30. Andrew Nacin
    Lead Developer
    Posted 4 months ago #

    Both. Akismet will first send a pingback attempt to its API to check it, the same way it would evaluate a would-be spam comment. If the pingback clears the check, the real IP would be passed along.

    Requiring moderation won't help. Pingbacks get verified as part of receiving them, because we need the information in a pingback in order to provide you the source and excerpt (the pingback "author" and pingback "content"). Everything we do here happens to be per the pingback specification.

Reply »

You must log in to post.

About this Plugin

About this Topic