WordPress.org

Forums

Jetpack by WordPress.com
[resolved] Disabling XML-RPC may damage JetPack? (18 posts)

  1. Marcelo Pedra
    Member
    Posted 1 year ago #

    Hello guys, I'm concerned about botnets using WP sites to maliciously pingback other websites. Specifically due to this:
    http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

    They recommend to disabe XML-RPC to mitigate possiblities of abuse.
    Do you encourage to implement this solution or may this break some JetPack functionality?

    Thanks.

    https://wordpress.org/plugins/jetpack/

  2. Richard Archambault
    Happiness Engineer
    Plugin Author

    Posted 1 year ago #

    Hi Marcelo,

    Disabling XML-RPC will cause much of Jetpack to stop functioning as expected. Rather than disabling XML-RPC, install the latest version of Akismet, which included some checks to help mitigate this issue:

    http://blog.akismet.com/2014/03/18/akismet-plugin-2-6/

  3. Marcelo Pedra
    Member
    Posted 1 year ago #

    Thank you Richard, there is a lot of buzz around this issue. So, any further details will help.

    Can you please enumerate the JetPack services that would stop functioning if XML RPC is disabled? I do use Stats, Comments, Publicize, Photon, and didnt noticed any problem with those services after disabling XML RPC.

  4. George Stephanis
    Automattic Lead Code Monkey
    Plugin Author

    Posted 1 year ago #

    Jetpack is based off a two-way communication between your server and the WordPress.com servers. That is done via xmlrpc.php. If you delete your xmlrpc.php file, some things will break -- for example, the initial sync for Related Posts, single sign on, the JSON API, Subscriptions, and a number of others that don't immediately come to mind (this is not an exhaustive list by any means). If you disconnect, you also won't be able to re-connect to WordPress.com unless the two way sync is re-enabled.

    But it depends largely on how you're disabling xmlrpc. If you are simply deleting the xmlrpc.php file -- then yes, it will indeed break. This is a very bad idea.

    If you are using the add_filter('xmlrpc_enabled','__return_false'); method, then traditional WordPress XMLRPC will be disabled (so the mobile apps will cease to function, for example, as will a number of other third-party clients like Pressgram and IFTTT) but Jetpack will still function.

    If you're filtering xmlrpc_methods to remove the pingback.ping method, then everything will still work, except for the pingback.ping method -- which really is the intended solution in the first place.

  5. Marcelo Pedra
    Member
    Posted 1 year ago #

    Oh yeah! This was the better explanation I readed until now.
    Very thanks George! It clarifies all the mess and noise regarding this issue.

    I never liked the idea of deleting xmlrpc.php file. Then I should be ok since I implemented the add_filter( 'xmlrpc_enabled', '__return_false' ); method.

    The question is, will this method be enough to safeguard the websites from being abused by the XML RPC exploitation that have been reported last week?

  6. George Stephanis
    Automattic Lead Code Monkey
    Plugin Author

    Posted 1 year ago #

    I really couldn't say one way or another.

  7. Marcelo Pedra
    Member
    Posted 1 year ago #

    I understand. But I also understand that disbling XML RPC with this method prevents the website for sending/accpeting pingbacks/trackbacks. That is right?

  8. Marcelo Pedra
    Member
    Posted 1 year ago #

    Guys, I just wanted to ask about this other way to block XML RPC found in the just released version of iThemes Security plugin (formerly Better WP Security):

    <files xmlrpc.php>
    	Order allow,deny
    	Deny from all
    </files>

    I bet this is really more aggresive and you wouldn't encourage to do it this way. At least not without verifying first that you don't need remote access to the site or any local API. Right?

  9. George Stephanis
    Automattic Lead Code Monkey
    Plugin Author

    Posted 1 year ago #

    I wouldn't encourage it, and I'll contact them privately about it.

  10. Marcelo Pedra
    Member
    Posted 1 year ago #

    George, I found another one you may want to give some advice:
    All In One WP Security & Firewall allow to block the XML RPC thing via htaccess, but using a bit less aggressive approach, yet breaking things down. Although they really EXPLAIN the consequences of shutting this down:

    <IfModule mod_alias.c>
    RedirectMatch 403 /(.*)/xmlrpc\.php$
    </IfModule>

    The only problem I see in using the native hook method is that the entire WP site needs to be loaded in order to apply. This could be used against a site without XML RPC to do some sort of DDoS... So, the shut down should be evaluated by any owner. The case is that plugin developers should be crystal clear on what the consequences would be.

  11. Clarus Dignus
    Member
    Posted 8 months ago #

    Any follow-up on iThemes Security's recommending of fully disabling XML RPC?

    Is there any middle ground between disabling XML RPC via iThemes Security and allowing JetPack to function?

    Either one party or the other is correct. Either JetPack presents an exploit via XML RPC or iThemes Security is taking an overkill counter-measure.

    Can anyone guide on what the true case might be?

  12. Clarus Dignus
    Member
    Posted 8 months ago #

  13. amaheer1
    Member
    Posted 7 months ago #

    i tried to find xml-rpc file but didn't find it, so i uploaded it to the root file but still cannot connect jetpack.

    How to solve this?

  14. Jeremy Herve
    Happiness Engineer
    Plugin Author

    Posted 7 months ago #

    @amaheer1 I replied to the other thread you started here:
    https://wordpress.org/support/topic/cannot-connect-to-jetpack-2?replies=2

  15. alfreddatakillen
    Member
    Posted 6 months ago #

    Lately, I've hade a lot of troubles with xmlrpc attacks. add_filter( 'xmlrpc_enabled', '__return_false' ); was not enough, because the massive numbers of requests brought the servers down (loading WordPres at each request). So, I wrote a plugin which denys xmlrpc.php requests already in .htaccess, except for requests from Automattic's/JetPack's IP address subnets. The plugin polls ARIN on a reqular basis, to get all IP addresses that belong to Automattic, and updates .htaccess accordingly.

    The plugin is published here: https://wordpress.org/plugins/stop-xmlrpc-attack/

  16. Marcelo Pedra
    Member
    Posted 6 months ago #

    @alfreddatakillen: sounds good, I'll take a look at it

  17. einstem
    Member
    Posted 6 months ago #

    All,

    I have been having problems getting Jetpack Related posts to work with my hosting provider and my site, so I want to try to make sure I understand this whole issue.

    I use: Related Posts, WordPress Stats, Subscriptions, Comments, Publicize

    If I have this code in my wp-config.php file to protect my site against XMLRPC DOS attacks:

    add_filter('xmlrpc_enabled','__return_false';

    Will this allow my Jetpack features listed above to still work?
    Will this disable any other Jetpack features I should be aware of?

    Thanks.

    Michael

  18. Adam Heckler
    Member
    Plugin Author

    Posted 6 months ago #

    @einstem

    Could you please start your own thread, as per the Forum Welcome?

    http://wordpress.org/support/plugin/jetpack#postform

    Thank you!

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Jetpack by WordPress.com
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.