Plugin Author
Paul
(@paultgoodchild)
Hi Gary,
Thanks for the question.
The XML-RPC problem is not an exploit or vulnerability as such, it basically will just bring down a site/server with a DDoS.
The “solution” that sucuri is referring to in their article simply prevents your WordPress site from being *used* to attack other WordPress sites. It doesn’t stop you from being a target and there is ultimately no way to protect against this. This whole problem is ultimately for the WordPress core dev team to address.
However, I would recommend you use a web firewall such as CloudFlare that will, in general help protect against many attacks.
They have a setting specifically to protect you against the DDOS but it’s in their pro plan (http://blog.cloudflare.com/wordpress-pingback-attacks-and-our-waf) but either way, worth having their service regardless.
I hope that helps.
Paul.
Paul,
Thanks for following up.
So, I guess there’s no way that WP Simple Firewall can include any protection against this or is it just not worth worrying about?
Gary
Plugin Author
Paul
(@paultgoodchild)
The best way to prevent this is to block access to the xml-rpc system, which is best done through the use of .htaccess or removing it altogether
With the Simple Firewall we’ve opted from the outset to not need to modify core files on the filesystem.
These sorts of exploits are best handled at the server level – i.e. before WordPress is even loaded. And to do that you could edit your .htaccess files, as 1 example.
We may adapt our stance on modifying system files, but we like to be hands-off the .htaccess files, as with so many plugins all playing with core files like that, we never wanted to join that party. It can get quite messy.
Best to disable your XMLRPC (and I think we could offer the option within the plugin to do that)
http://wpengineer.com/2484/xml-rpc-enabled-by-default-in-wordpress-3-5/
Fire on CloudFlare and that’ll help you with ddos and dodgy traffic in a huge way.
Thanks again.
I also use BulletProof Security Pro. They are adding an .htaccess block for this.
So thanks for your info.
Gary
Plugin Author
Paul
(@paultgoodchild)
Cool… I’d be careful as to the effect of that .htaccess as that might block the whole xmlrpc functionality. Not a problem if that’s what you want.
Cheers!
Paul.