Project

General

Profile

Feature #12911

Block access to xmlrpc.php based on User-Agent

Added by Boone Gorges about 1 year ago. Updated about 1 year ago.

Status:
New
Priority name:
Normal
Assignee:
Category name:
-
Target version:
Start date:
2020-06-09
Due date:
% Done:

0%

Estimated time:

Description

Branching off of #12898.

On today's dev call, we decided we'd try blacklisting certain User-Agent strings in xmlrpc.php requests.

I downloaded the last 7 complete days of access logs and did some parsing to get a list of unique user agents. The attached CSV file has these agents, with the corresponding counts.

user-agent-counts.csv (46 KB) user-agent-counts.csv Boone Gorges, 2020-06-09 04:58 PM

Related issues

Related to CUNY Academic Commons - Support #13286: problem connecting with WordPress app New2020-09-04

History

#1 Updated by Boone Gorges about 1 year ago

  • Assignee set to Boone Gorges

I monitored incoming xmlrpc traffic for a few minutes to see what kind of payload was being sent with the requests. I wanted to make sure it's not legitimate. A good number of requests were simply empty. A lot of others were wp_getUserBlogs - they appeared to be fishing expeditions of some sort.

As a test, I've blocked all xmlrpc.php requests with User-Agent beginning with 'Mozilla':

RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*$ [NC]                                 
RewriteRule ^xmlrpc\.php$ - [R=403,L]

If this massively breaks anything, I assume we'll hear about it shortly :-D

#2 Updated by Raymond Hoh 11 months ago

  • Related to Support #13286: problem connecting with WordPress app added

Also available in: Atom PDF