WordPress.org

Forums

Simple Security Firewall
[resolved] I was curious if Simple Firewall protects WP against the XML-RPC exploit? (7 posts)

  1. garymgordon
    Member
    Posted 1 year ago #

    I was curious if Simple Firewall protects WP against the XML-RPC exploit?

    As mentioned here:
    http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

    I was curious if Simple Firewall has anything built in (or will) to protect against this?

    Gary

    https://wordpress.org/plugins/wp-simple-firewall/

  2. Paul G.
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Gary,

    Thanks for the question.

    The XML-RPC problem is not an exploit or vulnerability as such, it basically will just bring down a site/server with a DDoS.

    The "solution" that sucuri is referring to in their article simply prevents your WordPress site from being *used* to attack other WordPress sites. It doesn't stop you from being a target and there is ultimately no way to protect against this. This whole problem is ultimately for the WordPress core dev team to address.

    However, I would recommend you use a web firewall such as CloudFlare that will, in general help protect against many attacks.

    They have a setting specifically to protect you against the DDOS but it's in their pro plan (http://blog.cloudflare.com/wordpress-pingback-attacks-and-our-waf) but either way, worth having their service regardless.

    I hope that helps.
    Paul.

  3. garymgordon
    Member
    Posted 1 year ago #

    Paul,

    Thanks for following up.

    So, I guess there's no way that WP Simple Firewall can include any protection against this or is it just not worth worrying about?

    Gary

  4. Paul G.
    Member
    Plugin Author

    Posted 1 year ago #

    The best way to prevent this is to block access to the xml-rpc system, which is best done through the use of .htaccess or removing it altogether

    With the Simple Firewall we've opted from the outset to not need to modify core files on the filesystem.

    These sorts of exploits are best handled at the server level - i.e. before WordPress is even loaded. And to do that you could edit your .htaccess files, as 1 example.

    We may adapt our stance on modifying system files, but we like to be hands-off the .htaccess files, as with so many plugins all playing with core files like that, we never wanted to join that party. It can get quite messy.

    Best to disable your XMLRPC (and I think we could offer the option within the plugin to do that)
    http://wpengineer.com/2484/xml-rpc-enabled-by-default-in-wordpress-3-5/

    Fire on CloudFlare and that'll help you with ddos and dodgy traffic in a huge way.

  5. garymgordon
    Member
    Posted 1 year ago #

    Thanks again.

    I also use BulletProof Security Pro. They are adding an .htaccess block for this.

    So thanks for your info.
    Gary

  6. Paul G.
    Member
    Plugin Author

    Posted 1 year ago #

    Cool... I'd be careful as to the effect of that .htaccess as that might block the whole xmlrpc functionality. Not a problem if that's what you want.

    Cheers!
    Paul.

  7. garymgordon
    Member
    Posted 1 year ago #

    Exactly. :-)
    Gary

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.