- XML-RPC Vulnerability – Risk and Mitigations - 11/10/2024
- Choosing testing environment for VAPT - 24/06/2024
- What is the ideal web session timeout? - 15/05/2023
XML-RPC Vulnerability – Risk and Mitigations
Previous versions of WordPress (i.e., below version 3.5) were making use of XML RPC for the application to be able to post content. This had to be done because applications weren’t running WordPress itself. However, with the introduction to REST APIs, XML-RPC is no longer needed.
Attack:
If application users are still using XML RPC, their application is prone to –
- DDoS Attack: XML-RPC has pingbacked and tracebacks functions enabled by default. One can exploit xmlrpc.php to send vast numbers of pingbacks to site in a short time, leading to DoS attack.
- Brute force Attack leading to Authentication Bypass: Because xmlrpc.php sends authentication information with every request, hackers could use it to brute force.
Solution:
If you are running the latest WordPress version, which uses the REST API to communicate with external sites, you should disable xmlrpc.php as it is not required.
If you are running a version that predates the REST API, due to which you still need access to xmlrpc.php, its suggested that you at least disable the pingback function on the xmlrpc. However, we also suggest you upgrade your WordPress.
Methods to Disable XML RPC
- Using Plugin – https://wordpress.org/plugins/disable-xml-rpc/
Utilizing the Plugins screen in the WordPress admin, install and activate the plugin. You don’t need to take any other action; once the plugin is activated, XML-RPC will be turned off.
- Manually via .htaccess –
Add the below code into your .htaccess file:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>