What is XMLRPC and How This WordPress' Vestigial Tail Threatens Your Website Security
Table of Contents
In the root directory of every WordPress site is a file, xmlrpc.php that actually predates WordPress itself. Back before WordPress, during the b2 days, this file was created to give sites a way to communicate with each other and for other applications to communicate with the blog itself.
What is XMLRPC?
The name tells you everything you need to know about the functionality.
XML – This was designed to accept payloads in XML. These days JSON is a much more common format but XMLRPC predates JSON by quite a bit.
RPC – RPC stands for Remote Procedure Call. It was a standard by which one system could ask another system to do something. These days we use APIs – REST or Graph API – to do the same thing but before those existed, RPC was one of the ways we accomplished this.
How does XMLRPC work?
To make XMLRPC.php do something you had to POST a message to it. If you are not familiar with how browsers work, this is basically like clicking the Submit button on a form. That usually initiates a POST request.
If you make a POST request to yourdomain.tld/xmlrpc.php and you hand it a properly formatted XML payload, you can do things like create a post on your site.
One of the things that XMLRPC was used for a lot back in the day was “pingbacks”. Those comments you see on posts that show that someone else linked to it on their blog.
Potential security threats from WordPress’ XMLRPC
For a long time, XMLRPC was a useful tool. Those days are fading into history now. These days all of the functionality that XMLRPC used to be used for is handled by the built-in REST API. Even though it’s not used anymore. It’s still hanging around. Those who get nostalgic about such things see it and smile. Those that are worried about security see it and frown.
XMLRPC poses a couple of distinct security risks for WordPress sites that can result in severe WordPress XMLRPC attacks.
The first type of WordPress XMLRPC attack is a simple Brute Force attack. Since part of the XML payload that is passed to WordPress is the login and password of the user that wants to take the action, it is an easy way for attackers to try out user name and password combos until they find one that works. Many security conscious site owners will limit the number of login attempts a user can make before locking them out but won’t bother to block XMLRPC requests thus leaving a back-door open for attackers to try and find a way in.
Brute Force Attacks via XMLRPC
Once an attacker finds credentials that work, they are free then to attempt to do damage to your site by injecting content into your site’s database. Whether these are Posts, Pages, or just comments, the end result is the same. Content that you did not approve and most likely do not want is being served by your site.
At the very least, this means spam comments or posts. At the worst though, it could be innocuous posts or comments that have malware injected.
DDoS attacks using XMLRPC
Because one of the ways that XMLRPC was used was for pingbacks, malicious users can use it to overwhelm your server by issuing a lot of expensive requests all at once.
A pingback writes a record to your database. Writing to your database is an expensive task, resource wise. While a single pingback won’t hurt your site’s performance, hundreds or even thousands of them at once can bring even the beefiest server to its knees.
This is called a DDos or Distributed Denial of Service attack. Distributed because it’s usually not a single machine making all the requests, usually it is a whole bunch of machines spread out all over the place.