Windows XML-RPC Under Attack!
Once again, we find a perpetual weak spot in the WordPress ecosystem as the target of a large-scale attack hitting sites around the world.
The XML-RPC tool is vulnerable because it is one of the few methods that accept external communication, allowing pingbacks/trackbacks to post, as well as allowing website owners to connect via third party tools such as Windows Live Writer and the WordPress mobile app.
These are all very interesting and important things and so the XML-RPC communication method can’t be easily dismissed and removed.
Fortunately, only a very small percent of website owners actually utilize this connection tool, and for those who don’t, the answers to closing the door are easy!
The Latest Attack
This week Sucuri published the data on this attack and the numbers are big, but more importantly they are GROWING!
While there are methods of mitigating the damage of this particular attack this week, hackers continue to come up with new and devious methods, and we’ve often been caught with our proverbial trousers down on this front.
An Incomplete Discussion
I don’t lose my cool online too often – but this week has found me HIGHLY aggravated at sellers with a product to protect – giving wildly incomplete advice.
It’s not my job here to sell you any one plugin over another. It’s not even my job for you to LIKE me. However, it IS my job to help you keep your ass(ets) safe and growing online.
Posts from certain publishers have foolishly led readers like yourself into a dangerous catch-22 by refusing to tell you the full truth.
When it comes to XML-RPC, your three options are:
(1) Fully disabled – which is practical since MOST site owners don’t USE it…
(2) Partially disabled, which plugins like iThemes Security can make easy… and
(3) Fully enabled – which continues to be the source of the problem because the API can be called externally.
The questions should always start with… Are you USING this thing? If you’re not, shut it off. If you are – which parts?
If this attack successfully hits y.our site, it will do two things. First, it will tax your system resources, and make the site sluggish while it beats on your login (up to 500 usernames/passwords per single hit!) and then, once it gets inside, it will hack you and require you to have a full hack cleanup
Tools That Rely on XML-RPC To Function Normally
- WordPress Mobile App
- Windows Live Writer
- LibSyn (Podcasts)
- JetPack (Just some parts)
- Some Photo Gallery Plugins
- IFTTT (except the RSS based connections)
What You Can Do To Shut Off XML-RPC
There are several different ways you can shut XML-RPC off depending on how you wish to approach the problem.
- Install “Disable XML-RPC“. Just activate the plugin and you’re good to go. (You should also go into Settings -> Discussion and disable trackbacks and pingbacks, however.)
- Use the tools built into your security plugin to partially or completely disable XML-RPC. (In this screenshot, you will see the settings provided by iThemes Security.)
- Disable the feature using code changes. (Learn more in step #3 here.)
Testing your XML-RPC Setting
You can try the XML-RPC Validator, written by Danilo Ercoli of the Automattic Mobile Team – the tool is available at http://xmlrpc.eritreo.it/ with a blog post about it at http://daniloercoli.com/2012/05/15/wordpress-xml-rpc-endpoint-validator/.
I ran a poll over in the #YCDI group, and what you can see is that most people simply are NOT using the features of XML-RPC, and so the answer is SIMPLE!
TURN IT OFF!
I STRONGLY advise you to go into the settings of your security plugin and to move XML-RPC to “completely disabled”.
Yes, this is going to not only disable pingbacks/trackbacks (which haven’t been safe for some time) but is also going to block you from using many outside tools such as Livewriter to remote publish to your blog.
Do it anyways! Because the alternative is either (a) hacked or (b) server/hosting disabled due to the impact of a DOS attack on your site as this is used to try to guess your passwords.
Unless you come upon some need for what XML-RPC provides, simply leave the tool disabled forever. If, by chance, you are one of the few that need access to XML-RPC, then you are tasked with a much larger challenge of mitigating the attacks and keeping the hackers under control without the simple solution of being able to disable it.
Remember that you need to do this for every single installation of WordPress in your cPanel/hosting (including old sites you’ve forgotten about), as even one single vulnerable site can lead to the infection of all the others.
Starting more than a year ago, I keep XML-RPC disabled not only for my own websites but also for my VIP managed hosting clients.
I have a WordPress security course coming out soon (almost done updating it) that will help you learn how to head off a lot of the trouble sites are facing today. We also offer a comprehensive security audit and assistance with security cases if you would like to get your site reviewed by a professional.
Are you using XML-RPC to connect to your blog or have you already disabled it?
~ Kim ~
Smart Tech For Smart Marketers