How To Stop XML-RPC Attacks While Allowing Jetpack & VaultPress Access

Folks in the WordPress space have been following the XML-RPC Quadratic Blowup attack fairly closely these last few weeks, as the attack has the capability to cripple sites running an unpatched version of WordPress within minutes, if not seconds. WordPress 3.9.2 (and 3.8.4 and 3.7.4) fixed the root problem, the vulnerability to the XML-RPC Quadratic Blowup attack, but it still allows XML-RPC functionality to be enabled.

Unfortunately, the latest rounds of patches aren’t fully sufficient in denying persistent crackers/lamers the capability of taking down a site sheerly through repeated requests to xmlrpc.php. Unless a site has some sort of throttling enabled (via, say, fail2ban [WordPress plugin available here]), a single user can, through sheer persistence, overwhelm a site.

For many WordPress users, XML-RPC isn’t necessary. It offers a convenient way to enable remote editors, such as MarsEdit or Windows Live Writer, to publish posts and pages directly to WordPress. It also allows other blogs to issue pingbacks to posts and pages. Useful, but not critical. In these cases, XML-RPC can be disabled in its entirety.

However, for users of two plugins, it’s absolutely critical: VaultPress and Jetpack. These two plugins rely upon XML-RPC to communicate with Automattic‘s servers to perform backups, sync comments, track stats, and a host of other functionality. Sites using Jetpack or Vaultpress (or both) have to have XML-RPC enabled or the plugins simply stop working. As Jetpack and VaultPress see wider distribution, disabling XML-RPC entirely becomes less of an option.

I recently had a site that was getting hammered by regular XML-RPC attacks and the user needed to have both VP and JP running. The site itself is running on the now-standard stack of Nginx and PHP-FPM, so here’s what I did:

Basing my work off of this helpful article, I tracked down all of Automattic’s current public IP addresses. (The list in the article itself isn’t fully applicable for two reasons — the addresses aren’t in CIDR notation and the instructions are for Apache instead of Nginx). I translated all of the ranges to CIDR netblocks using a handy CIDR subnet calculator. Then, inside of the site’s Nginx config file, I added the following block:

location /xmlrpc.php {
    include blockips.conf;

Then, I created /etc/nginx/blockips.conf, the contents of which were Automattic’s netblocks:

# Automattic's netblocks
deny all;

Then I restarted Nginx.

That’s the solution in its entirety. In plain language, if a request for XML-RPC isn’t coming from one of the Automattic netblocks, Nginx will simply drop the traffic on the floor, no questions asked — the traffic will never even make it to PHP in order to get processed. The nice thing about this approach is that, should I ever need to set this solution up on another host or add another domain to the same host, I can simply make sure blockips.conf is present and then just point that new config file at it, and if Automattic adds/changes their netblocks, I can simply change one file and have it apply to all of my sites automatically. I can even make it into a Puppet-managed asset and then put it anywhere I could feasibly need it.

Fork Puppet(-WP)

My fellow 10upper Eric Mann recently authored a post entitled Just Ship Already in which he encouraged developers to (get this) just ship their code, already! Well, in the interest of doing just that, I’d like to announce a fork of Ryan McCue’s Puppet WordPress module.

That’s Nice. Uh, What?

Puppet is an awesome systems automation tool. Essentially, you can describe (in a Puppet DSL) the way you want a system to be configured (packages installed, processes running, etc.) and then tell Puppet “Do it” and it will, to the best of its ability, make sure that your server looks exactly like you want it. There are all sorts of useful packages of Puppet code out there (they call them “modules”) that extend the base functionality and can do a lot of the heavy lifting for you, instead of you having to develop your own Puppet code. There’s code for Apache configurations, MySQL databases, firewalls, time servers — pretty much anything that you might want to configure and/or automate on a system.


tl;dr version: I joined 10up in October, been very busy since. We just released a fancy-dance new plugin named PushUp Notifications. You should get in on it.

Long version: I joined 10up last October as a Senior Systems Engineer and have been head-down in systems for some pretty large customers since then. Obviously, blog output has suffered. *grin*

We (10up) just launched a nifty little plugin called PushUp Notifications that ties in with Apple Push Notifications for Safari to, get this, send push notifications from your WordPress blog. Publish a post, click the “Push desktop notification” checkbox, and hit “Publish” and all your subscribers will be notified. No RSS feeds, no Facebook updates, it just goes right to their desktops. Right now, it’s a 1.0 product, so it works with Safari for OS X, but in the future, we’re talking about extending it to Firefox, Chrome, iOS — the sky’s the limit, really.

If you’re reading Literal Barrage on Safari, you would’ve been prompted to allow push notifications for the site on your first visit here. Make sure to hit “Allow” and you’ll get notified whenever* I update the site.

Check out the demo video if you want a better sense of how this all works:

*Yeah, I know.

WordCamp St. Louis 2014

I’m speaking this afternoon at WordCamp St. Louis 2014 about making your whole* life easier with WP-CLI.

My slide deck is available right here:

DradCast Episode #15: “A Maker Not A Fighter”

So I did a little thing last night with my buddies Brad and Dre. I think it went pretty well.

Theme Hook Alliance First Pass (1.0-draft)

After I published my previous post detailing the proposed Theme Hook Alliance, I decided to put virtual pen to virtual paper and started the themehookalliance project over on github. A couple of train rides later, I feel like I’m ready for folks to start commenting on it.

So please, if this effort interests you in the slightest, head over to github, comment away, fork and submit pull requests. I’d love to get this effort kicked off and under way.

Literal Barrage is Stephen Fry proof thanks to caching by WP Super Cache