AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Does marsedit use xmlpc3/3/2023 I translated all of the ranges to CIDR netblocks using a handy CIDR subnet calculator. (The list in the article itself isn’t fully applicable for two reasons - the addresses aren’t in CIDR notation and the instructions are for Apache instead of Nginx). The site itself is running on the now-standard stack of Nginx and PHP-FPM, so here’s what I did:īasing my work off of this helpful article, I tracked down all of Automattic’s current public IP addresses. I recently had a site that was getting hammered by regular XML-RPC attacks and the user needed to have both VP and JP running. As Jetpack and VaultPress see wider distribution, disabling XML-RPC entirely becomes less of an option. Sites using Jetpack or Vaultpress (or both) have to have XML-RPC enabled or the plugins simply stop working. These two plugins rely upon XML-RPC to communicate with Automattic‘s servers to perform backups, sync comments, track stats, and a host of other functionality. However, for users of two plugins, it’s absolutely critical: VaultPress and Jetpack. In these cases, XML-RPC can be disabled in its entirety. It also allows other blogs to issue pingbacks to posts and pages. It offers a convenient way to enable remote editors, such as MarsEdit or Windows Live Writer, to publish posts and pages directly to WordPress. Unless a site has some sort of throttling enabled (via, say, fail2ban ), a single user can, through sheer persistence, overwhelm a site.įor many WordPress users, XML-RPC isn’t necessary. Unfortunately, the latest rounds of patches aren’t fully sufficient in denying persistent crackers/lamers the capability of taking down a site sheerly through repeated requests to xmlrpc.php. WordPress 3.9.2 (and 3.8.4 and 3.7.4) fixed the root problem, the vulnerability to the XML-RPC Quadratic Blowup attack, but it still allows XML-RPC functionality to be enabled. Folks in the WordPress space have been following the XML-RPC Quadratic Blowup attack fairly closely these last few weeks, as the attack has the capability to cripple sites running an unpatched version of WordPress within minutes, if not seconds.
0 Comments
Read More
Leave a Reply. |