Why do you need the XMLRPC PHP file. Programming competitions
A few days ago I noticed that the load of my sites on the hosting grew at times. If usually it was in the region of 100-120 "Parrots" (CP), then over the past few days it has increased to 400-500 CP. There is nothing good in this, because the hoster can translate to a more expensive tariff, and even cover access to sites at all, so I began to understand.
But I chose a method that allows you to save the XML-RPC functionality: installation of the DISABLE XML-RPC Pingback plugin. It deletes only the "dangerous" methods pingback.ping and pingback.extensions.getpingbacks, leaving the XML-RPC functionality. After installing the plugin you only need to activate - no further configuration is required.
Along the way, I scored all IP attackers to file.htaccess my sites to block them access. Just finished at the end of the file:
Order All Deny From 5.196.5.116 37.59.120.214 92.222.35.159
That's all, now we securely protected the blog from further attacks using xmlrpc.php. Our sites stopped shipping by requests, as well as attack with DDOS third-party sites.
WordPress has always been an embedded tool for remote access to your site. Indeed, sometimes you need to get to your site, and the computer is far from you. For a long time, the solution was filed by xmlrpc.php. However, last years this file has become a bigger problem than the solution.
Below we will discern xmlrpc.php and why it was created. We will also consider common security problems that it can cause and how to fix them for your site on WordPress.
XML-RPC is a WordPress function, which allows you to transmit data from HTTP protruding as transport and XML - for encoding. Since WordPress is not a closed system and often communicates with other systems, solutions were found for this task.
For example, let's say you want to publish on your site from your mobile phone. You need to use remote access provided by xmlrpc.php.
The main functional XMLRPC.php is the ability to connect to the site from the smartphone, the implementation of trackbakes and linkbies from other sites and some functions associated with the JetPack plugin.
Why was XMLRPC.PHP created and how was it used?
Implementing XML-RPC goes far in the early days of WordPress and even before Wordpress has become Wordpress.
Returning to those days when the Internet only recently appeared, the connections were very slow and the recording process and publication in the web was much more difficult and time. Instead of making changes immediately through the browser, the majority made them in theline and then copied and inserted their content online. And this process was far from the ideal.
The solution (at that time) was the creation of a client for offline blogging, where you could make up your content, then connect to your blog and publish it. This connection was carried out via XML-RPC. With the main functionality of XML RPC, early applications using similar connections provided people with the opportunity to enter their WordPress sites from other devices.
XML RPC today
In 2008, with version 2.6 WordPress, the XML-RPC on and off option appeared. However, with the release of WordPress application for iPhone, the XML-RPC support was enabled by default and there was no possibility to shut down. So it remains and today.
Of course, the functionality provided by this file has decreased significantly over time, and the file size decreased from 83kb to 3kb, it no longer plays such a role as before.
XML-RPC properties
With a new programming interface of WordPress application (API), we can expect XML-RPC to be completely disabled. Today, this new API is still at the test stage and can only be included through a special plugin.
Although you can expect the API directly in the WordPress kernel in the future, which completely eliminates the need to use XMLRPC.php.
The new API is not perfect, but it provides good reliable protection, unlike xmlrpc.php.
Why disable xmlrpc.php.
The biggest problem associated with XML-RPC is safety. The problem is not directly related to the XML-RPC, but it can be used to turn on the attack on your site.
Of course you can protect a very reliable password password and WordPress plugins that ensure safety. But the best protection mode will simply turn off it.
There are two main weaknesses of XML-RPC, which were used in the past.
The first - uses the attack by direct selection of the password (Brute Force Attacks) to gain access to your site. Attacking will try to access your site using xmlrpc.php selecting various combinations of user names and passwords. They can effectively use one team for testing hundreds of different passwords. This allows them to bypass the security tools that usually detect and block the attacks of direct selection.
Second - Translation of the site to Offline by DDOS attack. Hackers will use the back notice in WordPress to send it thousands of sites at the same time. This XMLRPC.PHP functionality gives hackers with an almost infinite amount of IP addresses to distribute DDOS attack.
To check whether XML-RPC works on your site, you can run it using the tool called XML-RPC Validator. Run your website using the tool, and if you receive an error message, it means that you do not have XML-RPC support.
If you receive a successful completion message, you can stop xmlrpc.php one of two approaches below.
Method 1: Disconnection XMLRPC.PHP with plugin
Disable XML-RPC on your WordPress site is incredibly easy.
Go to section Plugins\u003e Add new In your WordPress Admin Console. Find plugin Disable XML-RPC And install it, it looks like in the picture below:
Activate the plugin and everything is ready. This plugin will automatically insert the necessary code to disable XML-RPC.
However, remember that the installed plugins can use parts of XML-RPC, and then its shutdown can cause a conflict of plug-ins or individual parts and output from the operating mode.
If you only want to disable individual XML-RPC elements, but allow other plugins and functions to work, then refer to such plugins:
- Stop XML-RPC Attack. This plugin stop all XML-RPC attacks, but it is allowed to continue the operation of such plugins as Jetpack and other automatic tools and plugins, providing them with access to XMLRPC.php files.
- Control XML-RPC Publishing. This allows you to save control and use remotely publishing.
Method 2: Disconnect XMLRPC.PHP manually
If you do not want to use the plugin and prefer to do it manually, follow this approach. It will stop all incoming XMLRPC.php requests before it is transferred to WordPress.
Open file.htaccess. You may have to enable 'show hidden files' in the file manager or FTP client to find this file.
Insert this code to the file .htaccess.:
# Block Wordpress Xmlrpc.php Requests
Final thoughts
In general, XML-RPC was a good solution to some problems that arose due to a remote publication on your WordPress website. However, at the same time, some security holes appeared, which were quite dangerous for some site owners on WordPress.
To ensure that your site is safe, it is recommended to completely disable XMLRPC.php if you do not need some functions necessary for the remote publication and the JetPack plugin. Then you can use bypass plugins that allow you to use these functions, while correcting security holes.
Over time, we can expect the XML-RPC functions to be integrated into the new WordPress API, which will support remote access without sacrificing security.
Did you block access to XML-RPC via plugin or manually? Or have any problems with security due to the fact that it was first active? Share your experience in the comments below.
HIS POST ALSO SHOWS HOW TO DO BROWSER AUTHENTICATION, AS BELOW:
$ request \u003d xmlrpc_encode_request ("MethodName", Array ("Methodparam"));
$ AUTH \u003d BASE64_ENCODE ($ UserName. ":" $ password);
$ Header \u003d (Version_Compare (phpVersion (), "5.2.8"))
? Array ("Content-Type: Text / Xml", "Authorization: Basic $ AUTH")
: "Content-Type: Text / XML \\ R \\ Nauthorization: Basic$ AUTH "; //
$ CONTEXT \u003d STREAM_CONTEXT_CREATE (Array ("HTTP" \u003d\u003e Array (
"Method" \u003d\u003e "POST",
"Header" \u003d\u003e $ Header,
"CONTENT" \u003d\u003e $ Request
)));
$ WebService \u003d. "http://www.example.com/rpc";
$ file \u003d file_get_contents ($ WebService, False, $ CONTEXT);
$ Response \u003d XMLRPC_DECODE ($ File);
if (xmlrpc_is_fault ($ response)) (
RETURN "XMLRPC: $ Response [FaultString] ($ Response [FaultCode])";
) ELSE (
Return $ Response;
}
?>
1 - Editor Note: This is a fix from "Sanderswang DT PHP AT Gmail Dot COM"
16 Years Ago.
Binary Strings (Set WITH XMLRPC_SET_TYPE) GO INTO A
Silly Though It May Be, IT Causes Real Problems for Some XML-RPC Servers, such as http://jakarta.apache.org/xmlrpc/ (Nee Helma). Stripping Out Those Entities With Something Like
$ REQ \u003d preg_replace ("/ /", "", xmlrpc_encode_request ("MY.METHOD", $ args));
works Around The Problem.
11 Years Ago.
IT SHOULD BE NOTED THAT ENCODING DOES NOT SEEM TO ENCODE ANYTHING, JUST SPECIFY WHAT GOES INTO THE XML Header.
WE HAD PROBLEMS WITH DOUBLE-ENCODED UTF STRINGS BEING SAVED TO DATABASE WHEN USING THIS FUNCHE, SENDING IT OF TO A Apache XML-RPC SERVLET AND STORING IT IN MYSQL DATABASE. IT WAS SOLVED by setting "Escaping" to Just "Markup" and "encoding" to "UTF-8" (don "t forget to set" UTF-8 "in xmlrpc_decode Too).
IT Seems That UTF-8 Encoded Strings Gets Escapad With Their Bytes As Entities Instead of Their Characters AS Entites.
9 Years Ago.
Ever TRIED TRANSMITTING AN ARRAY LIKE THE FOLLOWING WITH XMLRPC?
$ var1 \u003d array (7 \u003d\u003e 14.9 \u003d\u003e 18);
The Output Array Looks QUITE Different! IT Will Look Like That:
$ var2 \u003d array (14,18);
The Only Solution i Found Is To Prepend A Space to the Index:
$ var3 \u003d array ("7" \u003d\u003e 14, "9" \u003d\u003e 18);
USING THAT METHOD YOU "LL GET THE RIGHT RESULT. ($ Var1)
16 Years Ago.
This Function Should Be Used by An XML RPC Client To Create An XML PAYLOAD FOR AN XML-RPC Request;
$ params \u003d "System.Methodsignature";
$ MethodHod \u003d "System.methodhelp";
$ require \u003d xmlrpc_encode_request ($ Method, $ params);
echo ($ Request);
?>
Produces;
The Second Argument Recognises The Type of Variable and Generates The Correct XML-RPC Structure. See xmlrpc_encode () for more details.
12 YEARS AGO.
SIMPLE OO CLIENT WITH FUNTION OVERLOAD:
the PHP Metho Test_Hellogorld Is Translated to Xmlrpc Method Test.Hellogorld.
class rpcclient (
Private $ _methods;
Private $ _Context;
Private $ _URL;
FUNCTION __CONSTRUCT ($ URL, $ User, $ Passwd) (
$ AUTH \u003d BASE64_ENCODE (Sprintf ("% S:% S", $ User, $ passwd));
$ this -\u003e _ CONTEXT \u003d STREAM_CONTEXT_CREATE (Array (
"http" \u003d\u003e array (
"Method" \u003d\u003e "POST",
"Header" \u003d\u003e "CONTENT-TYPE: TEXT / XML \\ R \\ N".
"AUTHORIZATION: BASIC $ AUTH",
)
));
$ this -\u003e _ url \u003d $ url;
$ this-\u003e registermethod ("test_heloworld");
FUNCTION __CALL ($ Methodname, $ params) (
if (Array_Key_exists ($ Methodname, $ this -\u003e _ Methods)) (
// ON APPELLE LA FONCHION RPC
$ M \u003d STR_REPLACE ("_", ".", $ Methodname);
$ r \u003d xmlrpc_encode_request ($ m, $ params, array ("verbosity" \u003d\u003e "newlines_only"));
$ C \u003d $ this -\u003e _ context;
stream_context_set_option ($ C, "HTTP", "CONTENT", $ R);
$ f \u003d file_get_contents ($ this -\u003e _ URL, FALSE, $ C);
$ RESP \u003d XMLRPC_DECODE ($ F);
RETURN $ RESP;
) ELSE (
// ON APPELLE LA FONCHION DE L "OBJET
call_user_method_array ($ Methodname, $ this, $ params);
}
}
Private Function RegisterMethod ($ Method) (
$ this -\u003e _ Methods [$ Method] \u003d True;
}
From noon, Saturdays on my server, where about 25 sites on Wordpress will be hosted, wild brakes began. Since I managed to survive previous attacks (,) not noticed, I did not immediately understand what was the matter.
When I figured out, it turned out that passwords were passing + many requests to XMLRPC.
As a result, it was possible to cut off this, although not immediately. Cat three simple techniques, how to avoid it.
These techniques are most likely known to everyone, but I have come for a couple of rake, which I did not find in the descriptions - suddenly it will save time to someone.
1. Start the bust, Limit Login Attempts plugin - put it, since other protection strongly hang the server, for example, when using the Login Security Solution plugin, the server has died after half an hour, the plugin is very loading the database.
In the setting, be sure to turn on the test "for proxy" - otherwise it will define the IP of your server for all and automatically block all.
Update, thank you, the details below in the comments - a tick "For proxy" turn on only if the definition does not work when "Direct Connection" is enabled
2. Disconnect the XML RPC - Disable XML-RPC plugin (simply activate it and everything).
3. Close WP-Login.php - if you contact the site through the IP, the plugin does not work and the pickles continue to dab site. To avoid this, V.HTaccess add:
The WP-Login file is copied, renamed any strange name, for example Poletnormalny.php and inside the file with the auto-transmission all the inscriptions WP-Login.php on Poletnormalny.php.
All, now you can only contact the admin in your file.
After these 3 simple steps, sites began to fly again and came calm.
Well, suddenly interesting
One option to see what you are attacked. This can be seen in the NGINX logs (for example, here is the path for Debian / Var / Log / Nginx file Access.log).Introduction to XML-RPC
There are many different resources in the network that provide users with certain information. There are not ordinary static pages, but, for example, the data retrieved from the database or archives. This may be an archive of financial data (currency rates, data of securities quotations), weather data, or more voluminous information - news, articles, messages from the forums. Such information may be submitted to the visitor of the page, for example, through the form, as an answer to the request, or every time it is possible to generate dynamically. But the difficulty is that often such information is needed not so much the end user - a person how many other systems, programs that these data will use for their calculations or other needs.
Real example: the page of the banking site, on which currency quotes are shown. If you go to the page as a regular user, through the browser, you see all the design of the page, banners, menus and other information that "framents" the true goal of the search is currency quotes. If you need to make these quotes into your online store, then nothing else will remain as soon as you manually select the desired data and move through the clipboard to your site. And so have to do every day. Is there no way out?
If you decide the problem "in the forehead", then the solution immediately suggests: the program (script on the site), which it is necessary for the data, receives a page from the server as a "ordinary user", disassembles (PARS) the resulting HTML code and highlights the necessary information from it. This can be done by an ordinary regular expression, or with any HTML parser. The complexity of the approach is in its inelectivity. First, to obtain a small portion of data (data on currencies is literally dozen-other characters) you need to receive the entire page, and this is at least a few tens of kilobytes. Secondly, with any change in the page code, for example, the design has changed or something else, our analysis algorithm will have to redo. Yes, and resources will be selected decent.
Therefore, the developers came to the decision - it is necessary to develop a universal mechanism that would allow transparently (at the level of the protocol and transmission environment) and it is easy to exchange data between programs that may be anywhere, be written in any language and work under the control of any operating room Systems and on any hardware platform. Such a mechanism is now called loud term "web services" (Web-Service), "SOAP", "Service-oriented Architecture). For data exchange, open and time-tested standards are used - for sending HTTP messages (although you can use other protocols - SMTP for example). The data itself (in our example - currency rates) are transmitted packed to cross-platform format - as XML documents. For this, a special standard is invented - SOAP.
Yes, now Web services, SOAP and XML have all for hearing, they are started to actively introduce both large corporations like IBM and Microsoft produce new products designed to help total implementation of web services.
But! For our example with currency courses, which should be transmitted from the bank site in the online store engine such a solution will be very complex. After all, only the description of the SOAP standard occupies indecent one and a half thousand pages, and that's not all. For practical use, you will have to study still work with third-party libraries and extensions (only starting with PHP 5.0 it includes a library to work with SOAP), write hundreds and thousands of rows of their code. And all this to obtain several letters and numbers - is clearly very heavy and irrational.
Therefore, there is another one, with the stretch you can say an alternative standard for the exchange of information - XML-RPC. It was designed with the participation of Microsoft by the company Userland Software Inc and is intended for unified data transfer between applications via the Internet. It can replace SOAP when building simple services, where all the "corporate" features of these web services are not necessary.
What does the XML-RPC abbreviation mean? RPC is decrypted as Remote Procedure Call - remote procedure call. This means that the application (no matter, the script on the server or the usual application on the client computer) can be transparently using a method that is physically implemented and executed on another computer. XML here is used to provide a universal description of the description of the transmitted data. As transport, the HTTP protocol is applied to send messages, which allows you to freely exchange data through any network devices - routers, firewalls, proxy servers.
And so, for use, you need to have: the XML-RPC server, which provides one or more methods, the XML-RPC client, which can form a correct request and process the server response, and also know the server parameters needed for successful work - address, method name and method Transmitted parameters.
All work with XML RPC occurs in the "request-response" mode, this is one of the differences from the SOAP standard, where there are the concepts of transactions, and the ability to make deferred calls (when the server saves the request and responds to it at a certain time in future). These additional features will be more useful for powerful corporate services, they significantly complicate the development and support of servers, and put additional requirements for client decision-making developers.
The procedure for working with XML RPC begins with the formation of a query. A typical request looks like this:
POST / RPC2 HTTP / 1.0
User-Agent: Eshop-Test / 1.1.1 (FreeBSD)
Host: Server.localnet.com.
Content-Type: Text / XML
Content-Length: 172
In the first rows, the standard HTTP request header is formed. Mandatory parameters include Host, data type (MIME type), which must be Text / XML, as well as the length of the message. Also, the standard indicates that the User-Agent field must be filled, but may contain an arbitrary value.
Next is the usual XML document header. Root element inquiry -
Line
Next are set to the transmitted parameters. For this serves the section
After describing all the parameters, you follow closing tags. Request and response to XML-RPC These are normal XML documents, so all tags must be closed. But there are no single tags in XML-RPC, although in the XML standard they are present.
Tetener We will analyze the server response. HTTP Answer Title, if the request is successfully processed, the server returns the answer HTTP / 1.1 200 OK. Also as in the query, you should correctly specify the MIME type, the length of the message and the date of the response date.
The body itself itself is as follows:
Now instead of the root tag
If an error occurred when processing your request, then instead The answer will be an element
And now consider briefly the types of data in XML-RPC. Total data types are 9 - seven simple types and 2 complex. Each type is described by its tag or a set of tags (for complex types).
Simple types:
Whole numbers - Tag
Logical type - Tag
ASCII-string - Describes tag
Floating point numbers - Tag
date and time - Describes tag
The last simple type is string encoded in Base64which is described by the tag
Complex types are represented by structures and arrays. The structure is determined by the root element
Arrays do not have names and described tag
Of course, someone will say that such a list of data types is very poor and "does not allow you to turn around." Yes, if you need to transmit complex objects, or large amounts of data, it is better to use SOAP. And for small, undemanding applications, XML-RPC is fully suitable, moreover, very often even its capabilities turns too much! If we take into account the ease of deployment, a very large number of libraries for almost any languages \u200b\u200band platforms, wide support in PHP, then XML-RPC often simply has no competitors. Although it is impossible to immediately advise him as a universal solution - in each particular case it is necessary to solve in circumstances.
How to combine two accounts on Facebook?
Download and insert a beautiful framework to Word Document
How to fix clock_watchdog_timeout type "Blue screen" (0x00000101)