[wp-hackers] Is disabling remote client access a good idea?
wordpress at santosj.name
Wed Jun 25 04:33:16 GMT 2008
How true. I have a blog where the there are no comment forms on any
posts and pages, but somehow the spammers are getting through. The
problem with securing with nonces is that they can be broken depending
on how creative the hacker is.
Interestingly enough, I think the nonce system I made has a great track
record with blocking bots, however the problem is that it sometimes
blocks actual users as well. I'm paranoid, but I think everything should
be protected by a nonce (as if most things aren't already). HTTP headers
can't be trusted and neither can cookies. Hell, you can't even trust
users and sometimes you can't even trust yourself.
Daniel Jalkut wrote:
> It's been interesting to see how the general vibe on this list has
> been more supportive of the limitation, while the comments on my blog
> are in both directions but I think with a bit of lean against the
> A common argument in favor of the limitation is that it "shuts down
> another vector" that may be a security risk. I think what Jens Alfke
> said in my blog comments is very pertinent here:
> "Some people seem to think there’s something special about XML-RPC
> that makes it inherently less secure. Not so — It’s just an HTTP POST,
> just like any other change made via the web UI."
> When you consider the number of distinct HTTP POST access points into
> a typical WordPress blog, all secured by a cookie-type authentication,
> it makes the SINGLE POINT access via the xmlrpc.php URL seem rather
> easy to manage and to secure, by comparison.
> On Jun 24, 2008, at 11:26 PM, Eric Marden wrote:
>>> It's common to disable services that you don't use.
>> Dan, you are completely right.
>> Security is about minimizing exposure, not the ability to survive an
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers