WP Tavern › Forums › Create Topic
djsteveb “attempted tie to dDOS “ I think most here are equating the statement in the post to be about the brute force password guessing for admin credentials, However I thought a while back there were some methods posted about how “DDosers” could use multiple wordpress xmplrc’s to amplify an attack on a third party. I’m not positive this is what the author was talking about, as I think he linked to a definition of ddos and not info about this amplification method. However I think it is a valid concern, even if your site is not being targetted, I would bet that there are thousands of wordpress sites out there in which the admins / authors never have and never will use xmplrpc – however having it turned on is indeed a security issue for a site itself, and I think it could be also used to harm other sites. Reminds me of a friend’s father who did not care that his anti-virus software was expired – he said “I only have pics of my grandkids on there, nothing for anyone to want to steal, and if they did, I would not care. Given that this gentleman had relatives in a controversial country, I asked him. “what if a virus maker was to infect your computer and use it to attack via password guessing or traffic overloading against the people in your home country X” If that scenario was a real possibility, would you then consider updating your anti-virus software? That was many years ago, and that kind of attack was rare… these days, things like that are much more likely. I think he updated his AV software, learned a bit more about this connected world, and surely if he had xmlrpc runnin on ihs web site he would turn it off if a checkbox was there with a note about what it does and it can be used for. 1 – unhcheked – cant post with your phone app, can’t be used to attack other sites and can’t be used to flood your server with 1000 password guesses per minute, bypassing your limit logins secuity. 2 – checked – now you can post with your phone. now your site can be used to attack other sites and the bots will come and cram a thousand passwords an hour through your system for a couple of days at a time every few weeks. Enjoy.
djsteveb
“attempted tie to dDOS “ I think most here are equating the statement in the post to be about the brute force password guessing for admin credentials,
However I thought a while back there were some methods posted about how “DDosers” could use multiple wordpress xmplrc’s to amplify an attack on a third party.
I’m not positive this is what the author was talking about, as I think he linked to a definition of ddos and not info about this amplification method.
However I think it is a valid concern, even if your site is not being targetted, I would bet that there are thousands of wordpress sites out there in which the admins / authors never have and never will use xmplrpc – however having it turned on is indeed a security issue for a site itself, and I think it could be also used to harm other sites.
Reminds me of a friend’s father who did not care that his anti-virus software was expired – he said “I only have pics of my grandkids on there, nothing for anyone to want to steal, and if they did, I would not care.
Given that this gentleman had relatives in a controversial country, I asked him. “what if a virus maker was to infect your computer and use it to attack via password guessing or traffic overloading against the people in your home country X”
If that scenario was a real possibility, would you then consider updating your anti-virus software?
That was many years ago, and that kind of attack was rare… these days, things like that are much more likely.
I think he updated his AV software, learned a bit more about this connected world, and surely if he had xmlrpc runnin on ihs web site he would turn it off if a checkbox was there with a note about what it does and it can be used for. 1 – unhcheked – cant post with your phone app, can’t be used to attack other sites and can’t be used to flood your server with 1000 password guesses per minute, bypassing your limit logins secuity. 2 – checked – now you can post with your phone. now your site can be used to attack other sites and the bots will come and cram a thousand passwords an hour through your system for a couple of days at a time every few weeks. Enjoy.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
