WordPress XMLRPC pingback vulnerability
Well, it seems that a new vulnerability has been found and exploited in WordPress, I’m afraid.
A WP core file, XMLRPC.php, is used for pingbacks. A serious vulnerability was discovered almost a year ago and many sites were hacked because of it. I was under the impression that the problem was completely addressed and fixed in WordPress 3.5.1. (you *do* keep your WordPress up-to-date don’t you??) But evidently that’s not the case.
It’s come to my attention that there is another WordPress XMLRPC pingback vulnerability that is being taken advantage of and is being used for DoS (Denial of Service) attacks. The good news is that your WordPress site doesn’t actually get hacked in this exploit (to the best of my current knowledge) but the DoS could bring your site to a screaching halt or be used to DoS attack other sites and also make your hosting company very unhappy with you.
There are a number of ways to deal with the problem, but the quick and easy one is to install and activate the “Prevent XMLRPC” plugin. There are no settings that need to be made.
If you have a site that depends on pingbacks, or if you use a service like Windows Live Writer with your WordPress, the plugin will be a problem as it completely shuts off the XMLRPC function in WordPress. There are other ways of skinning the cat, but they start taking more technical expertise.
Here are a couple of links about this…
http://samsclass.info/125/proj11/wpbots120613.htm
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
I strongly recommend installing the Prevent XMLRPC plugin ASAP!
Leave a Reply