Feature #12911
open
Block access to xmlrpc.php based on User-Agent
Added by Boone Gorges over 4 years ago.
Updated over 4 years ago.
Description
Branching off of #12898.
On today's dev call, we decided we'd try blacklisting certain User-Agent strings in xmlrpc.php requests.
I downloaded the last 7 complete days of access logs and did some parsing to get a list of unique user agents. The attached CSV file has these agents, with the corresponding counts.
Files
- Assignee set to Boone Gorges
I monitored incoming xmlrpc traffic for a few minutes to see what kind of payload was being sent with the requests. I wanted to make sure it's not legitimate. A good number of requests were simply empty. A lot of others were wp_getUserBlogs - they appeared to be fishing expeditions of some sort.
As a test, I've blocked all xmlrpc.php requests with User-Agent beginning with 'Mozilla':
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*$ [NC]
RewriteRule ^xmlrpc\.php$ - [R=403,L]
If this massively breaks anything, I assume we'll hear about it shortly :-D
- Related to Support #13286: problem connecting with WordPress app added
Also available in: Atom
PDF