Testimonials

I put out one tweet on Twitter and there you were! I wasn’t quite sure what to expect but your FAR exceeded my expectations. Not only are you fast in responding but you also take the time to explain everything in a very user friendly way. I was never frustrated and you took care of the problem very efficiently. I felt that you are well versed in what I needed for our website to be up and running. you did more than I thought you even would and I so appreciate it! I will definitely be calling on you again! MingCFO and Founder Reiki Fur Babies, LLC

WordPress XMLRPC pingback vulnerability

Well, it seems that a new vulnerability has been found and exploited in WordPress, I’m afraid.

A WP core file, XMLRPC.php, is used for pingbacks. A serious vulnerability was discovered almost a year ago and many sites were hacked because of it. I was under the impression that the problem was completely addressed and fixed in WordPress 3.5.1. (you *do* keep your WordPress up-to-date don’t you??) But evidently that’s not the case.

It’s come to my attention that there is another WordPress XMLRPC pingback vulnerability that is being taken advantage of and is being used for DoS (Denial of Service) attacks. The good news is that your WordPress site doesn’t actually get hacked in this exploit (to the best of my current knowledge) but the DoS could bring your site to a screaching halt or be used to DoS attack other sites and also make your hosting company very unhappy with you.

There are a number of ways to deal with the problem, but the quick and easy one is to install and activate the “Prevent XMLRPC” plugin. There are no settings that need to be made.

If you have a site that depends on pingbacks, or if you use a service like Windows Live Writer with your WordPress, the plugin will be a problem as it completely shuts off the XMLRPC function in WordPress. There are other ways of skinning the cat, but they start taking more technical expertise.

Here are a couple of links about this…
http://samsclass.info/125/proj11/wpbots120613.htm
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos

I strongly recommend installing the Prevent XMLRPC plugin ASAP!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>