Dear John,
Thank you for your trying and letting me know about XML-RPC.
I read the code of iThemes Security and I found no issue related to the XML-RPC. But I strongly recommend you configure only one or the other to eliminate the waste of resources. Which one should be used depends on your expectation. Here’s my recommendation:
- Use case 1: If you want to completely disable XML-RPC and do not care about what type of attacks come to your site, then iThemes is better than IGB, because the former will block at HTTP server leve while the latter at PHP level.
- Use case 2: If you want to disable only pingbacks, then iThemes is the best because IGB doesn’t have such a setting.
- Use case 3: If you want to allow only pingbacks, I recommend IGB because it blocks them comming from undesired countries and still be able to allow Jetpack and WordPress mobile app.
- Use case 4: If you want to disable “XML-RPC system.multicall”, then I think both are almost the same. I described the reason in 2.2.3 Release Note.
I hope this helps you. And I appreciate if you let me know your expectation.
Thanks.
Thread Starter
John
(@dsl225)
Yes this helps, many thanks for your assistance!
Also, the same in relation with iSec, what I should I setup for “Maximum number of login attempts” when I already have this setting defined for “Max Login Attempts Per Host/User” in iSec?
Yes, there exist a same relationship between them. But in the case of IGB, a login attempt from undesired countries would be immediately blocked. It’s the same as “Maximum number of login attempts” is zero.
In the case of “login attempts from permitted countries”, both “limiting login attempts by host” and “limiting login attempts by user” have pros and cons. For example, if you have an acount named “john” in your site and someone attempts to login using that name, then you will be locked out. Likewise someone can easily change its host/ip using proxy.
So it’s completely depends on your choice.
Thread Starter
John
(@dsl225)
Thanks, I understand but what should I use in “Maximum number of login attempts” in IGB when I already have limited hosts and user attempts at iSec? Should I set it to 0?
Should I set it to 0?
No.
I think it’s good they have the same number. For example, the defautl value of “Max Login Attempts Per Host” in iSec is 5 (while the default value of “Max Login Attempts Per User” is 10). Then “Maximum number of login attempts” in IGB might be 5.
Thread Starter
John
(@dsl225)
In my settings, “Max Login Attempts Per Host” in iSec is 7.
So I have to use the same figure in IGB, right?
Sory but I wrote the wrong words. They don’t need to be the same number. 10 in IGB is OK because the smallest number (i.e. 7 in iSec) is predominant to limit the login attempts.
Thanks.
Thread Starter
John
(@dsl225)
OK now I better understand.
Thanks a lot for your help!
Thread Starter
John
(@dsl225)
Just to clarify: if I want to use “Use case 2” in your example above and let iSec manage pingbacks, which setting should I chose here, “disable” or “completely close”?
Sorry for my incomplete answer. It should be “Disable“.
Thanks.
Thread Starter
John
(@dsl225)
Great, this is also what I thought but wanted to make sure.
Many thanks again!
