Turn off XML-RPC

[thetwopct]

Just creating this issue to track findings around XML-RPC

From WP Scan:

[+] XML-RPC seems to be enabled: https://events.linuxfoundation.org/wp/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[thetwopct]

From this page - https://docs.pantheon.io/guides/wordpress-developer/xml-rpc-attacks
"Pantheon blocked requests to xmlrpc.php by default in the WordPress 5.4.2 core release."
So doesn't it seem weird that they have raised this as an issue?

I had a quick look around to harden/update my default wp_head commands we discussed and would suggest we include the following if we are copying across the head_cleanup from CNCF:

		// controls whether XML-RPC methods requiring authentication are enabled.
		add_filter( 'xmlrpc_enabled', '__return_false' );

		// Unregister the whole XML-RPC method space.
		add_filter( 'xmlrpc_methods', fn( $methods ) => array() );
		
		// deactivate x-pingback HTTP header.
		add_filter(
			'wp_headers',
			function( $headers ) {
				unset( $headers['X-Pingback'] );
				return $headers;
			}
		);

However after doing that and running WP Scan it still raises that it's accessible. So perhaps that is because it's not redirecting somewhere else. But then if Pantheon say it's blocked I'm not sure why WPScan could be able to access it anyway. Strange.

[cjyabraham]

We are not using the Pantheon WordPress upstream. I suspect that upstream has modified the WP core files directly to block it.

We could try out this plugin and see if that satisfies wp-scan. If so, we could pull out the code we need from it or just keep it installed? Alternatively we could install one of those big security plugins like and get it configured to work for us.

[thetwopct]

Ah ok makes sense. We could just protect the path in our pantheon.yml file then? https://docs.pantheon.io/pantheon-yml#protected-web-paths

[cjyabraham]

Ah, right. Ya, here is the standard pantheon.yml that comes with the upstream, and it has a line for xmlrpc.

[thetwopct]

OK, I'll add it and combine with the other filters and then run a new Scan