Project

General

Profile

Actions

Feature #12911

open

Block access to xmlrpc.php based on User-Agent

Added by Boone Gorges almost 4 years ago. Updated almost 4 years ago.

Status:
New
Priority name:
Normal
Assignee:
Category name:
-
Target version:
Start date:
2020-06-09
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

Branching off of #12898.

On today's dev call, we decided we'd try blacklisting certain User-Agent strings in xmlrpc.php requests.

I downloaded the last 7 complete days of access logs and did some parsing to get a list of unique user agents. The attached CSV file has these agents, with the corresponding counts.


Files

user-agent-counts.csv (46 KB) user-agent-counts.csv Boone Gorges, 2020-06-09 04:58 PM

Related issues

Related to CUNY Academic Commons - Support #13286: problem connecting with WordPress app AbandonedRaymond Hoh2020-09-04

Actions
Actions #1

Updated by Boone Gorges almost 4 years ago

  • Assignee set to Boone Gorges

I monitored incoming xmlrpc traffic for a few minutes to see what kind of payload was being sent with the requests. I wanted to make sure it's not legitimate. A good number of requests were simply empty. A lot of others were wp_getUserBlogs - they appeared to be fishing expeditions of some sort.

As a test, I've blocked all xmlrpc.php requests with User-Agent beginning with 'Mozilla':

RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*$ [NC]                                 
RewriteRule ^xmlrpc\.php$ - [R=403,L]

If this massively breaks anything, I assume we'll hear about it shortly :-D

Actions #2

Updated by Raymond Hoh over 3 years ago

  • Related to Support #13286: problem connecting with WordPress app added
Actions

Also available in: Atom PDF