Support » Fixing WordPress » xmlrpc.php being exploited

  • Wondering what was causing a huge bandwidth jump on my site my host has determined that WordPress xmlrpc.php is being exploited. As a result they have shut down access off site so I can’t use tools like posting from Flickr and using w.bloggar. Here are the recent forum posts about the problem:

    “It looks like the additional bandwidth usage is coming from an exploited part of the wordpress script you are running… looking through the logs it seems as though they are constantly linking in at your urls in the following way:- /lucas/index.php?disp=stats

    I noticed in fantastico that you are running an outdated version, so you may want to try upgrading to see if that cures the problem.

    If that fails then there are other things we can try, but lets start off with the obvious and go from there.”

    “Asking at WordPress elicited a suggestion to install Bad Behavior which I have done. Has that stemmed the tide enough to allow server access to xmlrpc.php files again?”

    “Unfortunately it wouldnt. From what I can tell all bad-behaviour does is filter out known wordpress spam bots. The xmlrpc problem was they were exploiting an unsafe php script to upload illegal content to the server.”

    I hope there is a simple answer because this is seriously affecting my enjoyment of my multiple WordPress installations.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Mark (podz)


    Support Maven

    <meta name="generator" content="WordPress 1.5.2" />
    As far as we know, there are no known exploits on this version.

    And as usual, a webhost decides to point the finger at a script instead of doing their job properly.
    Bad Behaviour does NOT just filter known spambots – it’s far cleverer than that.

    Define ‘huge bandwidth jump’

    And a request for a non-existent file would generate bandwidth of such a tiny amount it would have to be generated millions of time to affect bandwidth.
    What do your other stats say ?

    I am confident this is NOT a wp problem.

    The sites in question are my children’s sites as subdomains. All I have on their sites are WordPress and zFeeder is used for the main page. Could zFeeder be the problem? They went from a total bandwidth of 14.83MB in August to 908MB so far in October which triggered a shutdown. Biggest hits on the kids index pages. Referrers from spam/porn sites.

    It sounds as though you’re suffering from referer spam linking, and not an actual exploit of WordPress. This is, unfortunately, common.

    Several plugins exist to deal with this. Look for Referer Karma, and other such plugins.

    Just to check: did you install Bad Behavior on all blogs?



    Moderator James Huff


    I did install Bad Behaviour on each of the blogs. Will Referrer Karma complement or clash with Bad Behaviour?

    Well, they should complement each other. But BB is supposed to stem the flood, and other tools are just for the few that are left, as far as I know. (I just use BB.)



Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘xmlrpc.php being exploited’ is closed to new replies.