In the early days of WordPress, there were features that allowed you to interact with your website remotely. These same characteristics made it possible to build a community by allowing other bloggers to access your blog. The main tool used for this purpose is “ XML-RPC ».
« XML-RPC "Or" XML Remote Procedure Call Gives great power to WordPress:
- Connecting to your site with a SmartPhone
- TrackBacks and Pingbacks on your blog
- Advanced use of Jetpack
But there is a problem with the " XML-RPC ", which you must solve to preserve the security of your WordPress blog.
How XML-RPC is used on WordPress
Let's go back in the early days of blogging "(Well before WordPress), most authors on the Internet used dial-up To surf the web. It was difficult to write articles and send them online. The solution was to write to your computer offline and " copy paste Your article. People who used this method found it particularly difficult because their text often had foreign codes, even if the document was saved in HTML format.
Blogger has created an application programming interface (API) to allow other developers to access Blogger blogs. It was enough to specify the name of the website, which allowed users to create articles offline and then connect to Blogger API through XML-RPC. Other blogging systems followed suit, and there was ultimately a MetaWeblogAPI that standardized access by default.
After ten years, most of our applications are on our phones and tablets. One of the things people like to do with their phones is post to their WordPress blog. In 2008-09, Automattic was forced to create a WordPress application for just about every mobile operating system (same Blackberry and Windows Mobile).
These applications allowed, via the XML-RPC interface, to use your WordPress.com credentials to connect to a WordPress site where you have certain access rights.
Why should we forget about XML-RPC?
Compatibility with the XML-RPC Has been part of WordPress since day one. WordPress 2.6 was released on July 15, 2008, and the activation of the " XML-RPC Has been added to WordPress settings, and defaults to " off ».
A week later, a version of WordPress for iPhone was released, and users were asked to activate the feature. Four years after the iPhone app joined the family, WordPress 3.5 activated the " XML-RPC ».
The main weaknesses associated with XML-RPC are:
- Brute force attacks: Attackers try to log into WordPress using xmlrpc.php with as many combinations of username and password. There are no trial restrictions. A method in xmlrpc.php allows the attacker to use a single command (system.multicall) To guess hundreds of passwords.
- Denial of Service attacks via Pingback
Convenience vs. WordPress Security
So, here we go again. The modern world is deeply boring with its compromises.
If you want to make sure that no one brings a bomb on your boat, you just run it through the metal detectors. If you want to protect your car while shopping, lock the doors and close the windows. You can't just rely on the website password to protect it (do car windows provide sufficient protection?), Especially if you use Jetpack or mobile apps.
How to disable XML-RPC on WordPress
So, you have become dependent on all of these tools which are in turn dependent on XML-RPC. I understand that you don't really want to turn off "XML-RPC" even for a little while.
However, here are a few plugins that will help you do that:
- Stop XML-RPC Attack : only allows Jetpack and other Automattic tools to access xmlrpc.php through .htaccess.
- Control XML-RPC Publishing: simply reverts the old remote publishing option back to the write options.
- IThemes Security, Anti-Malware Security and Brute-Force Firewall et All in One WP Security & FirewallThese general purpose security tools include brute force protection in free versions. They watch for repeated login attempts with or without xmlrpc.php and protect you from queries that are trying to break your site.
REST (and OAuth) to the rescue
Now you might know that WordPress developers are turning to REST solution. The developers on the REST API team had a few issues getting ready, including with the authentication coin intended to fix the XML-RPC issue. When this is finally implemented (currently scheduled for WordPress 4.7 at the end of 2016), you will not have to use XML-RPC to connect with software like JetPack.
Instead, you will authenticate via the OAuth protocol. If you do not know what an OAuth protocol is, remember what happens when a website asks you to sign in with Google, Facebook, or even Twitter. Generally on these platforms the protocol used is OAuth.
WordPress REST API test
As I said earlier, the REST API is not yet integrated into the core of WordPress, and will not be for months. Today you can start testing it on your test environments:
The Rest API will definitely be the future of WordPress. We have already written several tutorials on the latter that will give you ideas on how you can start to implement it:
- How to know when to use the Rest API
- How to use the Rest API
- 7 effective implementations of the Rest API
- How to use the WordPress HTTP API
That's it for this tutorial. I hope you will be better informed about the risks associated with the use of XML-RPC. Do not hesitate to ask us questions in the online form comments.
