[webarch-wp] Preventing abuse of the WordPress XML-RPC interface
Chris Croome
chris at webarchitects.co.uk
Tue Nov 3 11:35:40 GMT 2015
Hi
We have been seeing quite a few denial of service attacks on the
WordPress /xmlrpc.php file across many sites and would strongly urge
everybody to install this plugin to deny access apart to this file from
anywhere apart from the JetPack/Automattic's servers:
- Stop XML-RPC Attack
https://wordpress.org/plugins/stop-xmlrpc-attack/
If you don't need to allow any XML-RPC access then you can simply add
this to your ~/.htaccess file and not use the plugin:
<Files xmlrpc.php>
Deny from all
</Files>
We should have new WordPress secure shared hosting packages to announce
soon, these will come with a automated WordPress install which will
include:
- HTTPS certificates from Let's Encrypt
https://letsencrypt.org/
- A Piwik account and the install and configuration of WP-Piwik to
enable access to web stats from within WordPress
https://wordpress.org/plugins/wp-piwik/
- Automatic installs of wp-fail2ban, stop-xmlrpc-attack and
disable-google-fonts for privacy and security
https://wordpress.org/plugins/wp-fail2ban/
https://wordpress.org/plugins/stop-xmlrpc-attack/
https://wordpress.org/plugins/disable-google-fonts/
When this service is launched we will also be able to assist existing
sites to be migrated to the servers running the new shared hosting
packages.
All the best
Chris
--
Webarchitects Co-operative
http://webarchitects.coop/
+44 114 276 9709
@webarchcoop
More information about the webarch-wp
mailing list