Limiting what attackers can do via xmlrpc.php

I don’t suspect core will adopt further XML-RPC protections, but that’s not my place to say for sure, though I suspect that the API work will replace XML-RPC in a big way.

Some quick thoughts on the subject though:

1. Blocking xmlrpc.php entirely not only breaks Jetpack, it breaks mobile and desktop blogging apps too. And, if you whitelist Automattic’s IPs to allow Jetpack, you’re still blocking mobile and desktop blogging apps. And, if you allow bloggers to whitelist their home IP, that helps for desktop blogging apps, but you’ll never whitelist the IP of every cell tower out there.

1b. So, in a simple whitelist-or-block structure, it’s not so much “convenience vs. security” as it is “the ability to use your blog away from home vs. security”, it’s honestly a much harder sell.

1c. All of the major hosting providers I work with have found a way to utilize mod_security to block or mitigate the current attack itself without affecting legitimate usage of xmlrpc.php, unfortunately they don’t make those rules available (for obvious reasons), but I’m just making note that it is possible.

2. If you’re already using Jetpack, switch on its Protect module at Jetpack -> Settings, which protects *both* wp-login.php and xmlrpc.php from brute force attacks, including the newer method: https://samhotchkiss.wordpress.com/2015/10/12/testing-for-xml-rpc-multicall-vulnerabilities-in-wordpress/

3. At the end of it all, these are all brute force attacks, they’re guesses based on known common passwords. If you use a strong password, they’re never getting in this way, and there just so happens to be a great plugin for that: https://ww.wp.xz.cn/plugins/force-strong-passwords/

But if Automattic think it’s a good idea to limit this in Jetpack, why on WordPress isn’t it a good idea to do this in core??

Automattic is not WordPress, just because Jetpack does something doesn’t mean it will wind up in core. That’s kind of why Jetpack exists.

Automattic is a for-profit company that uses WordPress and happens to be CEO’d by the co-founder of WordPress, but that’s largely where the relationship ends.

To the rest of your statements, all I can say is, please get involved and help out the other developers who are volunteering their time: https://make.ww.wp.xz.cn/core/

As for XML-RPC feature, I doubt a bit it’s a hugely requested feature. For my humble tests, I guess I used it 2/3 times in a bunch of years (close to 10). And if it’s a potential hole, well, why not scrub it?

It’s a bit more difficult than just scrubbing it because a few people never use it. 😉

WordPress now powers 25% of known websites: http://ma.tt/2015/11/seventy-five-to-go/

And, XML-RPC powers all mobile and desktop blogging apps. It also powers Jetpack on a few million installations, some commenting plugins, a few other plugins with connected services, a few blog-to-print services, and I know I’m missing some, but you get the idea. 🙂

Tossing XML-RPC now would mean tossing all that, for 25% of known websites.

The good news is, the REST API is being built to be a secure and stable replacement for most of that. It’s happening, it’s in development in public view, and the start of it will be in WordPress 4.4 in just a few weeks.

There is a mountain to climb, and we’ll get over it for sure, we just can’t teleport to the other side right this minute. 🙂

PHP 7 is going to be exciting. Speed and stability improvements for everyone!

Thanks for the kind words! 🙂

I am sure I’ll regret chiming in. 😉

Automattic is not WordPress (and vice versa) but..

There really is no buts about it. Automattic isn’t ww.wp.xz.cn, period. 😉

Again, what legitimate use is there for the system.multicall method?

I can’t find it, but I think there is a patch to handle that call. It’s in the XML-RPC spec (that call) but disabling an unused call might be in the works.

*Drinks more coffee*

My Google Fu is weak at the moment, if I find that trac link I’ll post it.

Edit: I think this may be the ticket.

https://core.trac.ww.wp.xz.cn/ticket/34336