Your Wordpress site is vulnerable due to Xmlrpc.php
Google the keyword 'xmlrpc.php', there will be a full page of search result that saying Why You Should Disable Xmlrpc.php. It almost seems like having this file in a hosted Wordpress site is generally a bad idea.
What can xmlrpc.php do?
Basically, it allows all the operation that is supported in XML-RPC WordPress API to be executed provided the request have valid account credential, the username and password. To name a few, it can:
- Insert new post
- Delete post
- Edit post
- Add comment
- Get any information related to the site.
So you get the idea, almost everything that one can do with a Wordpress GUI as a site owner.
These behaviour make xmlrpc.php worse
Type in the URL column in such format https://yourwordpresssite.wordpress.com/xmlrpc.php and hit Return. Likely the returned result will be XML-RPC server accepts POST requests only. That means the xmlrpc.php file is on and ready to be called anywhere anytime while the site is staying alive. Plus this file mostly comes installed while setting up a new Wordpress site. Hackers are just 1 step away from controlling the whole site -- getting the correct login credential. And the best part is(for hackers), they can just make a script to infinitely brute-force the username and password with no limitation of trying.
Delete the file to be safe? Don't need to be.
While deleting the xmlrpc.php away or disable it through htaccess.php file are what most people would suggest doing in order to cover this Wordpress vulnerability, it is only true that if the site owner does not wish to make use of the powerful Wordpress API like making a bot to automated posting process.
The best trick to maintain the usability of xmlrpc.php while not risking of compromising the whole is simple, rename the xmlrpc.php to another name. Any random name will do. For the best result, make it as complicated and long as your Crypto private key.
Guessing the correct name of original xmlrpc.php would take a long while for any malicious attempt and no one is really sure if xmlrpc.php is even enabled on the targeted site. Of course, for the average user who never make use of such advance feature of WordPress the best to do is probably just disable it.
Posted from my blog with SteemPress : https://fr3eze.vornix.blog/your-wordpress-site-is-vulnerable-due-to-xmlrpc-php/
thanks for sharing this info :)
wordpress is extremely convenient but at a cost. just gotta stay up to date!
Just rename it away will do. But yeah, who knows there is any other vulnerabilities like this. Security is always a huge topic. Thanks for popping by man!
Posted using Partiko Android
Congratulations @fr3eze! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOPDo not miss the last post from @steemitboard:
Hi @fr3eze!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 4.015 which ranks you at #3502 across all Steem accounts.
Your rank has improved 39 places in the last three days (old rank 3541).
In our last Algorithmic Curation Round, consisting of 284 contributions, your post is ranked at #183.
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server