Last week, we began responding to a vulnerability using XML-RPC that affected WordPress® sites across the Internet.
Sounds hardcore. I know what you’re thinking: Am I using it and I don’t know? Is it one of those mysterious Internet/Web things that messes with my website even though I don’t know anything about it? Should I be wondering about XML while eating my Cheerios?
Short answer? Sort of.
Long answer? Don’t worry, you don’t need to know how to read XML or open and close tags to understand what it is and how it might affect your website. You might not even need to use it at all. In general, WordPress uses XML-RPC for two things: pingbacks and blogging clients. Technically, there are other reasons WordPress uses XML-RPC, but these two are the most popular. XML-RPC is a way for your WordPress site to communicate with the outside world. A few plugins use it, including Jetpack.
What are pingbacks?
A pingback is an easy way for WordPress to track when someone else links back to your website. Think of it as a comment on someone else’s website. They like what you wrote and they decided to reference it on their website. That’s cool. Usually, you can see them in the comments section of WordPress.
Blogging client? Is that what I use now?
Probably not. Most WordPress users publish content using the default WordPress interface. It’s that wp-admin page you visit every time you want to add a post to your blog or update your home page. There are, however, a bunch of other ways to publish stuff to your WordPress site. You could use an application on your computer or your smartphone, you could use another Web application, or you could pull content from another site that you manage. Heck, you could even seriously geek-out and set up some kind of auto-publishing using email and IFTTT and Evernote. XML-RPC makes this sort of stuff possible.
The risk with XML-RPC and WordPress
Some security experts online recognized that someone might be able to take advantage XML-RPC and create a distributed denial of service (DDoS) on servers that host use XML-RPC. In this situation, hackers would program many computers all over the world to simultaneously focus on single WordPress servers. What happens then? All of this non-legitimate traffic and system requests clog up the system. Someone who legitimately wants to visit your website can’t get to it.
It’s a little like a street mob flooding your favorite coffee shop. You show up ready to get some delicious French press, and you can’t even get in the door. A whole bunch of loiterers, with no intention of ordering coffee, are keeping you out.
And sure enough, that’s what happened. Earlier this week, some hackers took advantage of the XML-RPC goodness and started slamming WordPress Web servers (all over the Internet) with fake traffic—essentially jamming the system, slowing down websites, and crashing Web servers.
Top priority: keep sites live
We noticed the attack early on Monday morning and quickly weighed our options. In the end, we decided to temporarily block XML-RPC traffic. Why? Well, we wanted to keep our customers’ websites live. That was our first priority. We had a lot of customers calling and contacting us about their WordPress sites running slow or timing out. That’s frustrating. You might not have pingbacks and you might not be able to use your blogging client for a little while, but your site would stay live and responsive.
Once we blocked the XML-RPC traffic and got those sites affected back in play, we focused on figuring out a way to get XML-RPC safely working again.
What we’re doing to keep XML-RPC active
We tackled the issue from multiple angles. There are many pieces to a WordPress hosting account. There’s the actual network connection to the server, the operating system running on the server, the Web server software, WordPress, and XML-RPC. We’ve set up filters at these various levels to keep the bad guys (and unreasonable amounts of volume) out and make sure WordPress works the way you expect it.
For example: if your WordPress site has something like 15 XML-RPC requests per minute, that doesn’t make sense. We know that something suspicious is up, so we block it. Setting specific thresholds on our network and on our hosting servers lets typical use through, and stops any attempts to clog the system before they happen.
It’s like a game of chess
It’s not always easy. Attacks like this are a lot like playing chess. Bad guys constantly adjust their attack and we constantly counter-measure. Rest assured, though, we’ve got a 24/7 team that constantly monitors and adjusts with one primary goal in mind: keep your site live. You’re the hero of our story; we’re doing our best to keep it that way.