I had been dreading creating a workable web site for more than a year, and then, thanks to a referral, I found Ken. He took my concept, improved it with my blessing and made it a reality. I love the layout and site design, but I also love the ease of administration. When Ken finished the site, he explained the “inner” workings to me in terms that I could understand, with no web guru jargon, providing simple instructions so that I can maintain my site. I am 100% satisfied and will definitely be on his repeat customer list. I encourage you to talk with Ken if you want a current, attractive website that matches your business model and that is easy to administer. Rebecca Bond

WordPress XMLRPC pingback vulnerability

Well, it seems that a new vulnerability has been found and exploited in WordPress, I’m afraid.

A WP core file, XMLRPC.php, is used for pingbacks. A serious vulnerability was discovered almost a year ago and many sites were hacked because of it. I was under the impression that the problem was completely addressed and fixed in WordPress 3.5.1. (you *do* keep your WordPress up-to-date don’t you??) But evidently that’s not the case.

It’s come to my attention that there is another WordPress XMLRPC pingback vulnerability that is being taken advantage of and is being used for DoS (Denial of Service) attacks. The good news is that your WordPress site doesn’t actually get hacked in this exploit (to the best of my current knowledge) but the DoS could bring your site to a screaching halt or be used to DoS attack other sites and also make your hosting company very unhappy with you.

There are a number of ways to deal with the problem, but the quick and easy one is to install and activate the “Prevent XMLRPC” plugin. There are no settings that need to be made.

If you have a site that depends on pingbacks, or if you use a service like Windows Live Writer with your WordPress, the plugin will be a problem as it completely shuts off the XMLRPC function in WordPress. There are other ways of skinning the cat, but they start taking more technical expertise.

Here are a couple of links about this…

I strongly recommend installing the Prevent XMLRPC plugin ASAP!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>