I'm running a Wordpress website and I have found from the server logs that xmlrpc.php and wp-cron.php are being requested (POST requests, of course) very frequently--including some suspicious ips that reek of malicious activity or attempts. My understanding is that xmlrpc.php provides an "API" for others to interact with the site. wp-cron.php is for periodic tasks. So why do I see so many requests that those pages? Are hackers looking for some kind of backdoor or security hole?
I'm running a Wordpress website and I have found from the server logs that xmlrpc.php and wp-cron.php are being requested (POST requests, of course) very frequently--including some suspicious ips that reek of malicious activity or attempts. My understanding is that xmlrpc.php provides an "API" for others to interact with the site. wp-cron.php is for periodic tasks. So why do I see so many requests that those pages? Are hackers looking for some kind of backdoor or security hole?
Share Improve this question edited Feb 19, 2014 at 22:23 s_ha_dum 65.6k13 gold badges84 silver badges174 bronze badges asked Feb 19, 2014 at 22:21 masougmasoug 211 silver badge2 bronze badges 3- 1 Well to answer your question, yes, though that are not hackers , they are bots. – Wyck Commented Feb 19, 2014 at 23:56
- Does Wordpress leak information from those files? I guess I'm just worried that sending garbage to xmlrpc and wp-cron cause them to spew error messages that then reveal information about my wordpress installation. – masoug Commented Feb 20, 2014 at 4:19
- Well it depends on is you have any errors, by default no and you can turn them off. – Wyck Commented Feb 20, 2014 at 13:38
1 Answer
Reset to default 1We experienced this just last night.
xmlrpc.php
Lots of traffic to xml-rpc.php is a classic sign of a Wordpress pingback attack. By default, pingbacks are turned on in WP. A non-malicious user/website uses this mechanism to notify you that your website has been linked-to by them, or vice versa.
A malicious user can exploit this. If they spoof their HTTP headers, then your server is sending lots of pingback traffic to a third-party server. This could be used, say, to launch a DDOS attack at someone else.
A decent write-up of this, along with a diagram, can be found here by Tim Butler.
If this worries you (and it should), there are suggestions about securing xmlrpc.php elsewhere on StackExchange: How to secure WordPress XMLRPC?
wp-cron.php
At present, there doesn't seem to be any live vulnerabilities to wp-cron.
That doesn't mean the out-of-the-box wp-cron is benign. The default config for wp-cron assumes you're on a web host that doesn't let you add any cron jobs, and so there's a crummy workaround that involves spamming your server. If you're getting lots of requests (say, because you're being spammed, as per above) then every malicious call to xmlrpc.php is spawning a "by-default" call to wp-cron.
Further reading: The Nightmare that is WP Cron
Note: the solution proposed in this article is cogent and sensible, but may not be paranoid enough. Just because there aren't any vulnerabilities in WP Cron at the moment doesn't mean there won't be in future. Personally, I'd want to add additional server rules only allowing access to wp-cron.php from the server's own IP address.
As always, YMMV.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745255277a4618916.html
评论列表(0条)