Closed WJBarnes456 closed 1 year ago
WJBarnes456
commented
1 year ago I'd open a PR to do this myself if it weren't so late - feel free to ping me if you're reading this message at a later date and I haven't opened one, I probably just forgot. Of course feel free to solve yourself too :)
rsa33
commented
1 year ago You are correct that WordPress' XML-RPC interface is a liability that should be disabled, which is why we actually block access to it server-wide -- see https://sample.soc.srcf.net/wordpress/xmlrpc.php for example. It is perhaps still worth noting in the docs though!
(To date, I believe we've only had one user note the block and request an exemption, though after explaining the risks as you've rightly pointed to, they didn't press for it.)
WJBarnes456
commented
1 year ago Thanks for the quick response! I'm glad to hear that's the case, I'm happy to close then.
It is perhaps still worth noting in the docs though!
If I remember I'll give the securing page a quick tidy to sort out some of the grammar anyway
mas90
commented
1 year ago I wonder whether it would be a good idea for the documentation to mention the block, both so that SRCF users know that we're handling that, and so that non-SRCF users who stumble upon our documentation know to do it? Our documentation may be aimed at our own users, but this page in particular is more broadly relevant and may show up in Google searches.
I was reading through https://docs.srcf.net/guides/websites/securing-wordpress/, as a university society I remain on good terms with is thinking of using WordPress as a CMS.
I noticed that neither this file, nor the sample htaccess file at
/public/societies/sample/public_html/wordpress/.htaccess, advocates for restricting access to thexmlrpc.phpfile, which is enabled by default, and can be used to significantly amplify brute force attacks against the WordPress instance. This would make a weak admin password even easier to crack.I suggest adding this to https://github.com/srcf/docs/blob/master/content/guides/websites/securing-wordpress.md and the reference .htaccess file (though I have no idea where that can be found!)