WordPress is NOT a secured Web Software by Default. On Cloud Computing Platforms Disabling XMLRPC, SMTP on WordPress For Security is Important. PHP itself has some problems, WordPress developers hugely love some features which make both WordPress complicated and vulnerable. Nowadays, a web host is publishing their “paid guides” on their website (directly, it is Digital Ocean) and Google is hugely loving. They have guides which can be dangerous for a relatively new user. We are talking about HP Cloud where we have control with router to control the ports apart from Firewall at operating system level. Your setup assumed to be on IBM, HP Cloud, Rackspace etc. standard IaaS providers or OpenShift or Heroku PaaS.
Disabling XMLRPC, SMTP on WordPress For Security : What the Hell They Do?
XMLRPC is for remote blogging, pingbacks, trackback etc. SMTP function is mainly needed for Mail, which can be avoided by using transactional email services. We wrote before how to use Mandrill to receive email from WordPress.
Unless you are quite used with networking, try avoiding both of them. We might need SMTP daemon for monitoring services. smtpd needs a non-Free software library to get configured on deb GNU/Linux. This is the thing Richard Stallman talks about Debian – Debian has these repo of non-Free softwares on their “servers”. Ubuntu Multiverse has these non-Free softwares. In very short, for many monitoring service we might need smtpd. Thats quite dangerous to keep open to the World.
---
Disabling XMLRPC, SMTP on WordPress For Security
On deb GNU/Linux, if smtpd is not configured; practically neither XMLRPC will work not the vulnerability will remain wide open. However, that is NOT exactly the right method for bullet proof security on WordPress. There are many security experts talked about this XMLRPC problem of WordPress. If you do a cURL on that XMLRPC on our website, you’ll see :
1 2 | $ curl -I -s https://thecustomizewindows.com/xmlprc.php | grep HTTP HTTP/1.1 301 Moved Permanently |
this is done both from WordPress PHP level as well as from Nginx web server. XMLRPC not only can do DDoS but can invite Man in the Middle Attack.
Basically that /xmlrpc.php calls another files. We are keeping that XMLRPC Advertisement towards the dangerous automated bots to get the IP, but you normally should disable it with this filter plus remove the function :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | // 1. disables the function add_filter( 'xmlrpc_enabled', '__return_false' ); // 2. removes specifically the functions add_filter( 'xmlrpc_methods', 'tcw_block_xmlrpc_attacks' ); function tcw_block_xmlrpc_attacks( $methods ) { unset( $methods['pingback.ping'] ); unset( $methods['pingback.extensions.getPingbacks'] ); return $methods; } // 3. removes header "advertisement" add_filter('wp_headers', function($headers) { unset($headers['X-Pingback']); return $headers; }); // 4. alternate way to remove the header "advertisement" add_filter( 'wp_headers', 'tcw_remove_x_pingback_header' ); function tcw_remove_x_pingback_header( $headers ) { unset( $headers['X-Pingback'] ); return $headers; } |
You can see the are numbered as 1,2,3,4. You should use any of this combination :
- 1 or 2 or 3 or 4 alone
- 1 + 3
- 1 + 4
- 2 + 3
- 2 + 4
You can add these on theme or child theme’s functions.php file or use our easy plugin to add any snippet theme or child theme’s functions.php file. As the physical file is present, we should block it too (on Nginx) :
1 2 3 4 5 6 7 8 | # server { # rest of the codes location = /xmlrpc.php { deny all; } # rest of the codes # } # server block ends |
There is no reason to think that a hacker will not know about WordPress.
Disabling XMLRPC, SMTP on WordPress For Security : Checking the Access Logs
If you only see only the error logs, you will see errors against the XMLRPC by :
1 | Googlebot/2.1; http://www.google.com/bot.html |
actually its fake. Here is screenshot of such fake tries which we revealed by another method we are describing :
if you access log of Nginx is /var/log/nginx/access.log, then if you run this command :
1 | grep xmlrpc /var/log/nginx/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head |
there are 100% spammy blacklisted IPs. They needs to be blocked via firewall.
Tagged With wordpress security functions php , worldpress Could not connect to SMTP host