-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Turn off XML-RPC #749
Comments
From this page - https://docs.pantheon.io/guides/wordpress-developer/xml-rpc-attacks I had a quick look around to harden/update my default wp_head commands we discussed and would suggest we include the following if we are copying across the head_cleanup from CNCF:
However after doing that and running WP Scan it still raises that it's accessible. So perhaps that is because it's not redirecting somewhere else. But then if Pantheon say it's blocked I'm not sure why WPScan could be able to access it anyway. Strange. |
We are not using the Pantheon WordPress upstream. I suspect that upstream has modified the WP core files directly to block it. We could try out this plugin and see if that satisfies wp-scan. If so, we could pull out the code we need from it or just keep it installed? Alternatively we could install one of those big security plugins like and get it configured to work for us. |
Ah ok makes sense. We could just protect the path in our pantheon.yml file then? https://docs.pantheon.io/pantheon-yml#protected-web-paths |
Ah, right. Ya, here is the standard pantheon.yml that comes with the upstream, and it has a line for xmlrpc. |
OK, I'll add it and combine with the other filters and then run a new Scan |
Signed-off-by: James Hunt <[email protected]>
Signed-off-by: James Hunt <[email protected]>
Signed-off-by: James Hunt <[email protected]>
Signed-off-by: James Hunt <[email protected]>
Just creating this issue to track findings around XML-RPC
From WP Scan:
[+] XML-RPC seems to be enabled: https://events.linuxfoundation.org/wp/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
The text was updated successfully, but these errors were encountered: