1 Minute fix for WordPress XML-RPC Pingback Vulnerability to Quadratic Attack

At 3PRIME, we are stewards for quite a few hosting customers, many of whom love wordpress. As such, we support that platform so that we may support the efforts of our disparate clientele.

By now everyone has heard of XML Quadratic Blowup Attack vulnerability in wordpress.

The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.

XML-RPC is a Problem

Something that bears mentioning here is the WordPress XML-RPC itself.

Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.

Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.

In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.

In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:

Apache – Disable xmlrpc.php

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all

For the Nginx crowd out there, you can use the following:

Nginx – Disable xmlrpc.php

server {
    # stuff
    location = /xmlrpc.php {
        deny all;

If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.

IT Reflection for the new year.

January 1st was the 30th anniversary of the modern internet. The 1st marked the cut over to TCP/IP.

Where computers had a giant impact on the way we do our work and what not TCP/IP has had and continues to have an even greater impact. Prior to TCP/IP all things were proprietary. Sharing and sending information between the various networks was all but impossible. TCP/IP changed all of that paving the way for what we have today.

It has been the underlying tidal force of my entire career. Computers may have been the vehicle but without TCP/IP there is no where to go, stuck on an Island trapped in a silo.  TCP/IP Changed all of that.  Computers in their current forms and iterations are nothing like what they were 30 years ago (ok sans a keyboard and yes we still have command prompts.).  TCP/IP on the other hand is the same for the most part.  Even with the addition of IPv6 its still the same at its core, just has more segments its still TCP/IP.  One could argue the same thing about computers that at their core they are still the same too, but to that I say “Shush! this is TCP/IP’s day not yours 8086”.

Take a moment, sit back look at all the devices around you. Every news feed alert, IM message, each dungeon run or quest you complete (Fellow Warcraft players, im looking at you), all Netflix movies you watch on a smart TV and wall you post to would not be what it is today with out the pioneering work of Vint Cerf in 1973, Robert Kahn in the 1970’s, Jon Postel.

There are many other very smart and creative people that provided frameworks to make these things happen but the creation of TCP/IP was the road which they all had to navigate.


Thanks for one heck of a ride so far.  {Tip of the hat and toast of the Red Bull to ya TCP/IP}


Better Results In Less Than 1 Month

Three weeks ago 3PRIME was contacted by an Optometrist based in Florida, who was referred to us from a longtime client. The doctor came to us looking for a way to improve his web presence.

The website he had been using at the time was static and it was nearly impossible to have it updated in a timely manner. Worst of all the site wasn’t ranked in Google so the amount of people accessing it was extremely limited.

So 3PRIME took the static site and rebuilt it as a WordPress website and launched it on Friday 1/20/2012. We checked back on it just this morning and found out that the homepage had been spidered in Google along with four other inner pages.

When we searched for the primary term that we built into the revamped homepage even we were surprised by what we saw. You can see from the picture insert how the website shot through the ranking. If you’re interested in results like this then make sure to contact 3PRIME.

Services provided

  • Setup new hosting
  • Domain management to build on a temporary subdomain
  • Setup WordPress with a simple but powerful theme
  • Reorganized existing content, which was plentiful and created new pages
  • SEO focused on the page names and URLs, as well as the organization of content
  • Took lengthy FAQ page and broke into over 30 individual pages, providing lots of SEO potential
  • Incorporated existing images and color scheme, as this was not a redesign project
  • Rebuilt appointment form and added contact form
  • Provided reformatted website to client for review and received approval from the client to launch the website.

There's A Lot To Be Thankful For

For starters, we’re thankful for our families, and for a change of scenery. And we’re also very thankful for our clients and the other relationships we’ve been able to forge through this company’s history. This time of year is always good for looking back and seeing how far we’ve come.

And with that in mind, the staff here at 3PRIME would like to wish everyone a safe and happy Thanksgiving Holiday!

3PRIME Updates Website for New Haven-based Compass Strategic Consulting

Compass Strategic Consulting is a business that was founded in 1994 to provide a full range of marketing and business development services to life science companies win innovative technologies and programs. Recently they sought the services of 3PRIME to make a whole suite of improvements to their website.

Continue »

Latest Work: The New England Kitchen Design Center

Just two weeks ago, 3PRIME began performing work for the New England Kitchen Design Center. The Kitchen Design Center is a local company and they provide their clients with flexible home improvement help. They’re able to act as a general contractor or in more of a support role for Do-It-Yourself enthusiasts. They came to us to improve their standing and visibility online.
Continue »

Godaddy web hosting

This question comes from an Internet associate:

I’m actually creating my own website right now (and no, it’s not cosmetics-related) and I seek some advice from you regarding hosting. Just like you, I buy all my domains thru GoDaddy, only so far I never had to worry about hosting and FTP upload. I am reading horror stories online about GoDaddy hosting services and I’m having a hard time evaluating where the truth is… Some love it, some hate it!

Is GoDaddy a decent option for hosting? Or is it for suckers/newbies who don’t know any better?

Regarding hosting, I do recommend GoDaddy, but it may be that I am highly familiar with it, so I am used to ignoring the upsells they send you through when you are setting up services with them. I have had sites run poorly, I have had problems with hacking, but overall, with over 100 sites hosted with them I’d say they are good bet.

For someone better, and at $60 per year paid upfront very comparable in price, we use KnownHost.com. It takes longer to setup, you have to wait for emails and such (24 hours) but the control panel is much more powerful and the service is somewhat more reliable. Main difference, they don’t provide telephone support. So if you you want more personal support, go with godaddy.



GeoCities: R.I.P

For those of you who haven’t heard, Yahoo! has officially shut down Geocities. And they’re just in time for Halloween in case anyone wants to go trick or treating as their dead GeoCities page. Spooky.

But why would Yahoo! just throw away something that they spent good money for, about 3.57 billion dollars in 1999. GeoCities web pages still saw around ten million visitors per month and some may think (as many did) that those kind of numbers were worth having around. At the very least they could have tried to sell the company, basically anything they made would end up being more than what they got by unceremoniously shutting it down.

Of course, they could have been trying to cannibalize GeoCities into their Yahoo! web hosting service. An offer to join the service was included with the announcement that GeoCities was closing to its users. It must have been a bitter pill to swallow: “So, yeah, we’re shutting all of this free stuff down but now you get to pay for web hosting for only 4.99 a month! We know you must be excited.”

And while 4.99 isn’t a lot for web hosting it’s still 4.99 more a month than most GeoCities users were paying. Besides, 4.99 is good for almost two gallons of gas in some places. Maybe.

Yahoo! never found a way to make GeoCities profitable or at least–profitable enough for them. And while I’m not going to say that they ran it into the ground–that’s surely where it is now.