Hello guys, I’m concerned about botnets using WP sites to maliciously pingback other websites. Specifically due to this:
They recommend to disabe XML-RPC to mitigate possiblities of abuse.
Do you encourage to implement this solution or may this break some JetPack functionality?
Disabling XML-RPC will cause much of Jetpack to stop functioning as expected. Rather than disabling XML-RPC, install the latest version of Akismet, which included some checks to help mitigate this issue:
Thank you Richard, there is a lot of buzz around this issue. So, any further details will help.
Can you please enumerate the JetPack services that would stop functioning if XML RPC is disabled? I do use Stats, Comments, Publicize, Photon, and didnt noticed any problem with those services after disabling XML RPC.
Jetpack is based off a two-way communication between your server and the WordPress.com servers. That is done via xmlrpc.php. If you delete your xmlrpc.php file, some things will break — for example, the initial sync for Related Posts, single sign on, the JSON API, Subscriptions, and a number of others that don’t immediately come to mind (this is not an exhaustive list by any means). If you disconnect, you also won’t be able to re-connect to WordPress.com unless the two way sync is re-enabled.
But it depends largely on how you’re disabling xmlrpc. If you are simply deleting the xmlrpc.php file — then yes, it will indeed break. This is a very bad idea.
If you are using the
add_filter('xmlrpc_enabled','__return_false');method, then traditional WordPress XMLRPC will be disabled (so the mobile apps will cease to function, for example, as will a number of other third-party clients like Pressgram and IFTTT) but Jetpack will still function.
If you’re filtering
xmlrpc_methodsto remove the
pingback.pingmethod, then everything will still work, except for the pingback.ping method — which really is the intended solution in the first place.
Oh yeah! This was the better explanation I readed until now.
Very thanks George! It clarifies all the mess and noise regarding this issue.
I never liked the idea of deleting xmlrpc.php file. Then I should be ok since I implemented the
add_filter( 'xmlrpc_enabled', '__return_false' );method.
The question is, will this method be enough to safeguard the websites from being abused by the XML RPC exploitation that have been reported last week?
I really couldn’t say one way or another.
I understand. But I also understand that disbling XML RPC with this method prevents the website for sending/accpeting pingbacks/trackbacks. That is right?
Guys, I just wanted to ask about this other way to block XML RPC found in the just released version of iThemes Security plugin (formerly Better WP Security):
<files xmlrpc.php> Order allow,deny Deny from all </files>
I bet this is really more aggresive and you wouldn’t encourage to do it this way. At least not without verifying first that you don’t need remote access to the site or any local API. Right?
I wouldn’t encourage it, and I’ll contact them privately about it.
George, I found another one you may want to give some advice:
All In One WP Security & Firewall allow to block the XML RPC thing via htaccess, but using a bit less aggressive approach, yet breaking things down. Although they really EXPLAIN the consequences of shutting this down:
<IfModule mod_alias.c> RedirectMatch 403 /(.*)/xmlrpc\.php$ </IfModule>
The only problem I see in using the native hook method is that the entire WP site needs to be loaded in order to apply. This could be used against a site without XML RPC to do some sort of DDoS… So, the shut down should be evaluated by any owner. The case is that plugin developers should be crystal clear on what the consequences would be.
Any follow-up on iThemes Security’s recommending of fully disabling XML RPC?
Is there any middle ground between disabling XML RPC via iThemes Security and allowing JetPack to function?
Either one party or the other is correct. Either JetPack presents an exploit via XML RPC or iThemes Security is taking an overkill counter-measure.
Can anyone guide on what the true case might be?
Started a separate thread: https://wordpress.org/support/topic/question-about-ithemes-security-conflicting-with-jetpack
i tried to find xml-rpc file but didn’t find it, so i uploaded it to the root file but still cannot connect jetpack.
How to solve this?
@amaheer1 I replied to the other thread you started here:
Lately, I’ve hade a lot of troubles with xmlrpc attacks.
add_filter( 'xmlrpc_enabled', '__return_false' );was not enough, because the massive numbers of requests brought the servers down (loading WordPres at each request). So, I wrote a plugin which denys xmlrpc.php requests already in .htaccess, except for requests from Automattic’s/JetPack’s IP address subnets. The plugin polls ARIN on a reqular basis, to get all IP addresses that belong to Automattic, and updates .htaccess accordingly.
The plugin is published here: https://wordpress.org/plugins/stop-xmlrpc-attack/
- The topic ‘Disabling XML-RPC may damage JetPack?’ is closed to new replies.