[wp-hackers] WP’s XML-RPC functionality a security vulnerability?

Jeremy Clarke jer at simianuprising.com
Mon Jul 21 16:42:19 UTC 2014

I've noticed a huge surge in trash traffic to /xmlrpc.php on my big sites.
In my case they are coming from different IP's every time which makes them
very hard to block (and indicating a DDOS or at least distributed intrusion

Originally they were coming in with a specific user-agent so I could at
least block them from loading the page, but today it seems they've switched
to empty user agents, making the requests a lot harder to block.

AFAIK there's no fundamental flaw in WP that would make all these requests
a security hazard, but anything that hits the login functionality in WP
over and over is going to have a bad performance impact because of
transients or whatever else gets saved to the DB when someone tries to log
in (which is probably what the XMLRPC requests are actually doing).

Jeremy Clarke
Code and Design • globalvoicesonline.org

More information about the wp-hackers mailing list