Feature #12911

Block access to xmlrpc.php based on User-Agent

Added by Boone Gorges almost 2 years ago. Updated almost 2 years ago.

Priority name:
Category name:
Target version:
Start date:
Due date:
% Done:


Estimated time:


Branching off of #12898.

On today's dev call, we decided we'd try blacklisting certain User-Agent strings in xmlrpc.php requests.

I downloaded the last 7 complete days of access logs and did some parsing to get a list of unique user agents. The attached CSV file has these agents, with the corresponding counts.

user-agent-counts.csv (46 KB) user-agent-counts.csv Boone Gorges, 2020-06-09 04:58 PM

Related issues

Related to CUNY Academic Commons - Support #13286: problem connecting with WordPress app New2020-09-04


#1 Updated by Boone Gorges almost 2 years ago

  • Assignee set to Boone Gorges

I monitored incoming xmlrpc traffic for a few minutes to see what kind of payload was being sent with the requests. I wanted to make sure it's not legitimate. A good number of requests were simply empty. A lot of others were wp_getUserBlogs - they appeared to be fishing expeditions of some sort.

As a test, I've blocked all xmlrpc.php requests with User-Agent beginning with 'Mozilla':

RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*$ [NC]                                 
RewriteRule ^xmlrpc\.php$ - [R=403,L]

If this massively breaks anything, I assume we'll hear about it shortly :-D

#2 Updated by Raymond Hoh over 1 year ago

  • Related to Support #13286: problem connecting with WordPress app added

Also available in: Atom PDF