The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.
XML-RPC is a Problem
Something that bears mentioning here is the WordPress XML-RPC itself.
Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.
Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.
In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.
In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:
Apache – Disable xmlrpc.php
Deny from all
For the Nginx crowd out there, you can use the following:
Nginx – Disable xmlrpc.php
If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.
I’m tired today, I came back to the office last night on behalf of a new client. Why? Becuase I thought it was the right thing to do.
Here’s the backstory. 3 weeks ago, around December 20, 2012, I received an email from an anxious business owner in need of the skills of an expert webmaster. Her website was sending her hundreds of spam emails every day, and her repeated requests to her web designer and host had been unanswered. Until that day, when she was told that they were on vacation, and would not be able to provide any assistance or access to her own website until after the New Year.
She was upset, to put it mildly.
Since then, I have worked with them to make specific requests from the web designer to get website access, FTP or CMS access if available. We received several emails providing usernames and passwords, but none worked. We were being led around.
After the third such email from the web designer, and still no end in sight to the spam problem or gaining access to the website, I moved to Plan B. Luckily, and this isn’t true for everyone, this client had her domain in her own Godaddy account, so I knew that if I rebuilt the website, and wrote a new form processor, I could point the domain to a new host and resolve the issue so she could worry about real goals, like improving her web position and getting new leads!
So last night I downloaded the whole website, set her up on our managed hosting server, built a new contact form processor and compared the old version with the new version to make sure that I’d gotten everything, and that the conversion forms worked properly. When done I pointed her domain to the new hosting.
The result: 4EverFitBody.com is back up and running, and this business now has all the critical logins for their own website and is in touch with competent, caring website managers. That’s what we do, can we do it for you?
Google +1 integration is pretty straightforward, although these can often be complicated by the fact that most businesses don’t directly manage their own web content or rely on a trusted, efficient vendor to update their website in a timely fashion. Continue »
This website supports the marketing efforts underway for New Haven Tattoo studio Graphic Images. Graphic Images offers one of the strongest portfolios of tattoo artists anywhere in the Tri-state area and serves New Haven county, Hartford county and tattoo enthusiasts from Boston and New York who travel I-95 based on the strength of the body art they demonstrate.
3PRIME provided complete copywriting, CMS website setup and will be uploading graphics to the portfolio in the coming days. From there, this website will serve as a significant asset in the company’s online marketing efforts.
This website is provided with our managed hosting service.
Just two weeks ago, 3PRIME began performing work for the New England Kitchen Design Center. The Kitchen Design Center is a local company and they provide their clients with flexible home improvement help. They’re able to act as a general contractor or in more of a support role for Do-It-Yourself enthusiasts. They came to us to improve their standing and visibility online. Continue »
A new client of ours had wanted to switch from their hosting company for a while now but had been hesitant to do so because of how abrasive the company had been with her. With help from 3PRIME they were (finally) able to make the switch, but not without receiving a few parting shots from their old hosting company, which we will call DisgruntledHosts.com. The following is an unaltered correspondence between Doug S. of DisgruntledHosts.com and our client.
I’m actually creating my own website right now (and no, it’s not cosmetics-related) and I seek some advice from you regarding hosting. Just like you, I buy all my domains thru GoDaddy, only so far I never had to worry about hosting and FTP upload. I am reading horror stories online about GoDaddy hosting services and I’m having a hard time evaluating where the truth is… Some love it, some hate it!
Is GoDaddy a decent option for hosting? Or is it for suckers/newbies who don’t know any better?
Regarding hosting, I do recommend GoDaddy, but it may be that I am highly familiar with it, so I am used to ignoring the upsells they send you through when you are setting up services with them. I have had sites run poorly, I have had problems with hacking, but overall, with over 100 sites hosted with them I’d say they are good bet.
For someone better, and at $60 per year paid upfront very comparable in price, we use KnownHost.com. It takes longer to setup, you have to wait for emails and such (24 hours) but the control panel is much more powerful and the service is somewhat more reliable. Main difference, they don’t provide telephone support. So if you you want more personal support, go with godaddy.