Support » Plugin: Jetpack by WordPress.com » Disabling XML-RPC may damage JetPack?

Viewing 15 replies - 1 through 15 (of 17 total)
  • Plugin Contributor Richard Archambault

    (@richardmtl)

    Happiness Engineer

    Hi Marcelo,

    Disabling XML-RPC will cause much of Jetpack to stop functioning as expected. Rather than disabling XML-RPC, install the latest version of Akismet, which included some checks to help mitigate this issue:

    Akismet WordPress plugin 2.6.0

    Thank you Richard, there is a lot of buzz around this issue. So, any further details will help.

    Can you please enumerate the JetPack services that would stop functioning if XML RPC is disabled? I do use Stats, Comments, Publicize, Photon, and didnt noticed any problem with those services after disabling XML RPC.

    Plugin Contributor George Stephanis

    (@georgestephanis)

    Jetpack is based off a two-way communication between your server and the WordPress.com servers. That is done via xmlrpc.php. If you delete your xmlrpc.php file, some things will break — for example, the initial sync for Related Posts, single sign on, the JSON API, Subscriptions, and a number of others that don’t immediately come to mind (this is not an exhaustive list by any means). If you disconnect, you also won’t be able to re-connect to WordPress.com unless the two way sync is re-enabled.

    But it depends largely on how you’re disabling xmlrpc. If you are simply deleting the xmlrpc.php file — then yes, it will indeed break. This is a very bad idea.

    If you are using the add_filter('xmlrpc_enabled','__return_false'); method, then traditional WordPress XMLRPC will be disabled (so the mobile apps will cease to function, for example, as will a number of other third-party clients like Pressgram and IFTTT) but Jetpack will still function.

    If you’re filtering xmlrpc_methods to remove the pingback.ping method, then everything will still work, except for the pingback.ping method — which really is the intended solution in the first place.

    Oh yeah! This was the better explanation I readed until now.
    Very thanks George! It clarifies all the mess and noise regarding this issue.

    I never liked the idea of deleting xmlrpc.php file. Then I should be ok since I implemented the add_filter( 'xmlrpc_enabled', '__return_false' ); method.

    The question is, will this method be enough to safeguard the websites from being abused by the XML RPC exploitation that have been reported last week?

    Plugin Contributor George Stephanis

    (@georgestephanis)

    I really couldn’t say one way or another.

    I understand. But I also understand that disbling XML RPC with this method prevents the website for sending/accpeting pingbacks/trackbacks. That is right?

    Guys, I just wanted to ask about this other way to block XML RPC found in the just released version of iThemes Security plugin (formerly Better WP Security):

    <files xmlrpc.php>
    	Order allow,deny
    	Deny from all
    </files>

    I bet this is really more aggresive and you wouldn’t encourage to do it this way. At least not without verifying first that you don’t need remote access to the site or any local API. Right?

    Plugin Contributor George Stephanis

    (@georgestephanis)

    I wouldn’t encourage it, and I’ll contact them privately about it.

    George, I found another one you may want to give some advice:
    All In One WP Security & Firewall allow to block the XML RPC thing via htaccess, but using a bit less aggressive approach, yet breaking things down. Although they really EXPLAIN the consequences of shutting this down:

    <IfModule mod_alias.c>
    RedirectMatch 403 /(.*)/xmlrpc\.php$
    </IfModule>

    The only problem I see in using the native hook method is that the entire WP site needs to be loaded in order to apply. This could be used against a site without XML RPC to do some sort of DDoS… So, the shut down should be evaluated by any owner. The case is that plugin developers should be crystal clear on what the consequences would be.

    Any follow-up on iThemes Security’s recommending of fully disabling XML RPC?

    Is there any middle ground between disabling XML RPC via iThemes Security and allowing JetPack to function?

    Either one party or the other is correct. Either JetPack presents an exploit via XML RPC or iThemes Security is taking an overkill counter-measure.

    Can anyone guide on what the true case might be?

    i tried to find xml-rpc file but didn’t find it, so i uploaded it to the root file but still cannot connect jetpack.

    How to solve this?

    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic

    Lately, I’ve hade a lot of troubles with xmlrpc attacks. add_filter( 'xmlrpc_enabled', '__return_false' ); was not enough, because the massive numbers of requests brought the servers down (loading WordPres at each request). So, I wrote a plugin which denys xmlrpc.php requests already in .htaccess, except for requests from Automattic’s/JetPack’s IP address subnets. The plugin polls ARIN on a reqular basis, to get all IP addresses that belong to Automattic, and updates .htaccess accordingly.

    The plugin is published here: https://wordpress.org/plugins/stop-xmlrpc-attack/

    @alfreddatakillen: sounds good, I’ll take a look at it

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Disabling XML-RPC may damage JetPack?’ is closed to new replies.