Recent Update To Wordfence Security Breaks WordPress Mobile Apps

With the release of WordPress 3.8.2, some users are reporting on the WordPress.org support forum that the update disabled XML-RPC causing mobile apps to break. Many of those who are reporting the issue have one thing in common: they’re using the Wordfence Security plugin. With over 1.5 million downloads, Wordfence Security is a popular plugin used to secure WordPress sites.

Wordfence Security Plugin Header

A recent update to Wordfence disables XML-RPC in WordPress to prevent sites from being used as drones in a pingback Denial of Service attack. Due to the timing of WordPress 3.8.2 as well as the update to Wordfence, users think 3.8.2 is the culprit. Andrew Nacin, lead developer for WordPress, replied to the support thread explaining why the fix is improper and has no tangible benefit to users:

The changelog says “Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.” The problem is this “attack” affects pingbacks. But the fix actually disables everything in XML-RPC except pingbacks, thus breaking mobile apps and anything else relying on XML-RPC, but allowing pingbacks through.

If you want to disable pingbacks, then disable pingbacks. Don’t do this. Or don’t do anything, as these attacks are not particularly effective and more recent versions of WordPress and Akismet both pass along better information when verifying pingbacks; and Akismet additionally detects abuse.

Wordfence responded, saying they’ve filed a bug and will be investigating a fix. Until then, if you’re using Wordfence, browse to the plugin’s options page and look for Other Options. Uncheck the box to Disable XML-RPC for DDoS protection.

Upgrade WordPress and Akismet To The Latest Versions

Network Solutions recently sent out a security bulletin to customers using WordPress informing them about the Denial of Service attacks that can result from pingbacks. Network Solutions advised customers to install the Disable XML-RPC plugin. While it disables the XML-RPC API, it does not disable trackbacks and pingbacks.

The best course of action is to update to WordPress 3.8.2 if you haven’t already done so. Also upgrade Akismet to the latest version. Both software updates address the Denial of Service attack associated with pingbacks without having to disable XML-RPC entirely.

There are 12 comments

Comments are closed.