wp-alleyvate icon indicating copy to clipboard operation
wp-alleyvate copied to clipboard

Published 20 hours ago verified publisher icon alleyinteractive

Spike: Limit access to XML-RPC

Open mboynes opened this issue 1 year ago • 2 comments

Description

It would be helpful to block XML-RPC access as much as possible. Jetpack uses it, as do the WordPress.com mobile apps, so we shouldn't block it completely. Maybe we can get away with blocking basic auth?

We should spike this first to list out our options.

Use Case

XMLRPC is a common attack vector for hackers/bot networks to brute force login attempts. Anything we can do to mitigate that is a win for security, server performance, chargeable server requests, etc.

Acceptance Criteria

  • Research what our options are for either fully disabling XMLRPC or selectively allowing access to it (e.g., for Jetpack or WordPress.com mobile apps)
  • Create a follow-up issue with the details to build the feature

mboynes avatar Jul 27 '23 17:07 mboynes