[wp-hackers] WP’s XML-RPC functionality a security vulnerability?

Patty Ayers patty at ayersvirtual.com
Mon Jul 21 16:27:14 UTC 2014

If this is off-topic, I apologize. A web host I use sent me this "courtesy
security alert", copy-pasted below. Is this accurate? What about their
recommendations, do you agree with their advice? I have about 25 live WP
sites and want to keep them as secure as possible. I do use basic good
security measures (strong passwords, themes and plugins updated, nightly
off-site backups, etc.) already. Thanks very much in advance,


"Dear Customer,

Please consider this a courtesy security alert. This message only applies
to WordPress websites.

We wanted to make you aware of a vulnerability in WordPress that is
becoming an increasingly popular exploit for attackers.

The vulnerability is from WordPress’s XML-RPC
<http://codex.wordpress.org/XML-RPC_Support> functionality, a feature
enabled by default since version 3.5. Attackers are abusing the feature to
launch DDoS attacks against other sites.

It is important to note that XML-RPC does serve some legitimate purposes
<http://codex.wordpress.org/XML-RPC_Support>, including the pingback
<http://en.support.wordpress.com/comments/pingbacks/> feature and the
ability to post content remotely from various WebLog clients

Due to the scale and nature of the exploits, however, we would like to
recommend that WordPress owners who do not require or need the XM-RPC
functionality take steps to disable the threat from their site.

For advanced WordPress users, XML-RPC can be disabled by modifying the
functions.php file from the site.
 For general users, there are several plugins available that disable
XML-RPC, including “Disable XML RPC Fully
<https://wordpress.org/plugins/disable-xml-rpc-fully/>” ..."


More information about the wp-hackers mailing list