Support » Fixing WordPress » Is WordPress’s XML-RPC functionality a security vulnerability?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    I don’t agree, to be honest. It still requires a username and password to post, so if you think that’s insecure, you might as well just stop using anything that only requires a username and password. 🙂

    And, that also says a lot about the host you’re using. Maybe it’s time to move? 😉

    If you’re concerned about security, here are a bunch of recommended things: http://codex.wordpress.org/Hardening_WordPress

    It still requires a username and password to post

    Well, note that the problems with it go beyond the danger of allowing a stranger who knows your password to post to your blog.

    In addition to XML-RPC being used to try to [link moderated – keep support on this site] guess passwords (this is new since many hosting companies now rate-limit wp-login.php), it can also be used to make your site attack other sites. It’s likely that the hosting company was referring to these unexpected dangers.

    XML-RPC is still enabled on our blog because we have other measures in place, but if I didn’t, I think I’d disable it. Removing any software you don’t use from your site improves security as it minimizes what’s exposed to hackers. But that’s a general rule, not specific to XML-RPC; the same thing applies to removing plugins and old theme files you don’t use, for example.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Yes, XML-RPC can be used to brute-force guess passwords, but so can wp-login.php. 🙂

    If the hosts are really concerned about it, they can rate-limit XML-RPC too. For example, the likelihood of anyone but a brute-force bot sending 30 calls to XML-RPC in 15 minutes is very slim.

    The discussion of returning XML-RPC controls has been hashed out by the core developers thousands of times, I’d rather not repeat the whole act here, but you can find the various discussions via Google. Basically, the decision was reached that confusion caused by XML-RPC being disabled was more prevalent than security concerns, as XML-RPC is really no more vulnerable than wp-login.php.

    Just follow the recommended security procedures, and you’ll have nothing to worry about: http://codex.wordpress.org/Hardening_WordPress

    If the hosts are really concerned about it, they can rate-limit XML-RPC too

    That’s definitely true. The unfortunate thing is that it’s much harder to add rate-limiting rules for XML-RPC, so fewer will.

    It’s easy to rate-limit HTTP POSTs to wp-login.php because every single one of them represents a single attempt to login (and nothing else). And it’s easy to tell whether the request sent the right password or not based on the HTTP result code. So you can trivially generate a list of all IP addresses that are sending bad logins just by searching through your Web server’s access.log.

    But a POST to xmlrpc.php can contain many different kinds of actions, some of which are expected to be repeated and must not be rate-limited.

    So you have to examine the XML content of the request to find ones that are password guessing attempts — and if you want to know whether it was valid or not, you have to examine the contents of the result body, too, because the HTTP result code is always “200”, whether a bad password is sent or not.

    Many hosting companies probably don’t have the tools to intercept and parse HTTP request and result bodies to do this properly, so I would expect that on average, xmlrpc.php is going to be more vulnerable than wp-login.php, unfortunately. 🙁

    Just follow the recommended security procedures, and you’ll have nothing to worry about

    Agreed.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    I suspect that if it becomes enough of a problem, someone will write a plugin along the lines of http://wordpress.org/plugins/limit-login-attempts/ which is what most of the hosting providers use to rate-limit wp-login.php. Despite its age, it still works great. 🙂

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    And on that note, it looks like there already is one: http://wordpress.org/plugins/login-security-solution/

    Thread Starter bourkedesign

    (@bourkedesign)

    Thanks so much James and tigertech! I appreciate your insights here.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    You’re welcome!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Is WordPress’s XML-RPC functionality a security vulnerability?’ is closed to new replies.