{"id":46142,"date":"2019-08-24T03:01:30","date_gmt":"2019-08-23T17:01:30","guid":{"rendered":"http:\/\/www.rjmprogramming.com.au\/ITblog\/?p=46142"},"modified":"2022-11-24T12:43:12","modified_gmt":"2022-11-24T02:43:12","slug":"xml-rpc-on-wordpress-vulnerability-primer-tutorial","status":"publish","type":"post","link":"https:\/\/www.rjmprogramming.com.au\/ITblog\/xml-rpc-on-wordpress-vulnerability-primer-tutorial\/","title":{"rendered":"XML-RPC on WordPress Vulnerability Primer Tutorial"},"content":{"rendered":"<div style=\"width: 230px\" class=\"wp-caption alignnone\"><a target=_blank href=\"http:\/\/www.rjmprogramming.com.au\/Mac\/xmlrpc_subdue.jpg\"><img decoding=\"async\" style=\"float:left;border: 15px solid pink;\" alt=\"XML-RPC on WordPress Vulnerability Primer Tutorial\" src=\"http:\/\/www.rjmprogramming.com.au\/Mac\/xmlrpc_subdue.jpg\" title=\"XML-RPC on WordPress Vulnerability Primer Tutorial\"  \/><\/a><p class=\"wp-caption-text\">XML-RPC on WordPress Vulnerability Primer Tutorial<\/p><\/div>\n<p>If you researched <a target=_blank title='XML-RPC' href='http:\/\/en.wikipedia.org\/wiki\/XML-RPC'>XML-RPC<\/a> when you read our <a title='Flickr and WordPress Integration Primer Tutorial' href='#fwipt'>Flickr and WordPress Integration Primer Tutorial<\/a> about the capabilities of (the online image repository) Flickr and WordPress automation of blog postings, you&#8217;d have been like me, and have been very enthusiastic about the possibilities.  If you are the same, perhaps you are like me, and have zero interest in hacking, and attempts at stealing other people&#8217;s online information, all the way through to their identities.<\/p>\n<p>Alas, in the case of WordPress, XML-RPC, as you can read about at <a target=_blank title='Useful link, thanks' href='https:\/\/medium.com\/@the.bilal.rizwan\/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32'>this link<\/a>, can be used to &#8220;hack&#8221; into a WordPress blog administration account via a &#8220;brute force&#8221; attack &#8230;<\/p>\n<blockquote cite='https:\/\/medium.com\/@the.bilal.rizwan\/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32'><p>\nThe main weaknesses associated with XML-RPC are: Brute force attacks: Attackers try to login to WordPress using xmlrpc.php .\n<\/p><\/blockquote>\n<p>We decided to close off this vulnerability at our <a target=_blank title='WordPress blog' href='http:\/\/www.rjmprogramming.com.au\/wordpress\/'>WordPress blog<\/a>, but how?<\/p>\n<ul>\n<li>click off the &#8220;XML-RPC&#8221; checkbox at WordPress 3.0.3 TwentyTen theme admin Settings -&gt; Writing (Remote Publishing)<\/li>\n<li>applied a <a target=_blank title='Apache .htaccess information' href='https:\/\/httpd.apache.org\/docs\/current\/howto\/htaccess.html'>.htaccess<\/a> file solution (at our <a target=_blank href='https:\/\/en.wikipedia.org\/wiki\/Apache_HTTP_Server' title='Apache web server information from Wikipedia ... thanks'>Apache<\/a> web server), including into it, thanks to the advice of <a target=_blank title='Useful link' href='https:\/\/www.namehero.com\/startup\/how-to-safely-disable-xmlrpc-in-wordpress-while-keeping-jetpack\/'>How To Safely Disable XMLRPC In WordPress (While Keeping Jetpack)<\/a> &#8230;<br \/>\n<code><br \/>\n&lt;Files xmlrpc.php&gt;<br \/>\nOrder allow,deny<br \/>\nDeny from all<br \/>\n&lt;\/Files&gt;<br \/>\n<\/code>\n<\/li>\n<\/ul>\n<p> &#8230; and settle for manual approaches to open this up when Flickr\/WordPress automations of blog postings are needed (or add your own &#8220;Allow from 999.9.99.9&#8221; type record between &#8220;Order allow,deny&#8221; and &#8220;Deny from all&#8221; above), for any given reason, into the future.<\/p>\n<p>Here&#8217;s a list of links we visited reading up on this subject &#8230;<\/p>\n<ul>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.google.com\/search?q=wordpress+xmlrpc+php&#038;rlz=1C5CHFA_enAU832AU832&#038;oq=wordpress+xmlrpc+php&#038;aqs=chrome..69i57j0l5.7495j0j4&#038;sourceid=chrome&#038;ie=UTF-8'>wordpress xmlrpc php &#8211; Google Search<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.hostinger.com\/tutorials\/xmlrpc-wordpress'>What Is xmlrpc.php in WordPress and Why You Should Disable It<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.google.com\/search?q=disabling+xml-rpc+3.0.3+wordpress&#038;rlz=1C5CHFA_enAU832AU832&#038;oq=disabling+xml-rpc+3.0.3+wordpress&#038;aqs=chrome..69i57.12910j1j4&#038;sourceid=chrome&#038;ie=UTF-8'>disabling xml-rpc 3.0.3 wordpress &#8211; Google Search<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.greengeeks.com\/tutorials\/article\/how-to-enable-and-disable-xmlrpc-php-in-wordpress-and-why\/'>How to Enable and Disable XMLRPC.PHP in WordPress and Why &#8211; GreenGeeks<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.google.com\/search?q=Disable+XML-RPC+plugin+earlier+than+3.5&#038;rlz=1C5CHFA_enAU832AU832&#038;oq=Disable+XML-RPC+plugin+earlier+than+3.5&#038;aqs=chrome..69i57j33l5.10707j0j4&#038;sourceid=chrome&#038;ie=UTF-8'>Disable XML-RPC plugin earlier than 3.5 &#8211; Google Search<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.google.com\/search?q=can+i+rename+xmlrpc.php&#038;rlz=1C5CHFA_enAU832AU832&#038;oq=can+i+rename+xmlrpc.php&#038;aqs=chrome..69i57j0l5.3962j0j4&#038;sourceid=chrome&#038;ie=UTF-8'>can i rename xmlrpc.php &#8211; Google Search<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/wordpress.stackexchange.com\/questions\/219643\/best-way-to-eliminate-xmlrpc-php'>security &#8211; Best way to eliminate xmlrpc.php? &#8211; WordPress Development Stack Exchange<\/a><\/li>\n<li><a target=_blank title='Useful link, thanks' href='https:\/\/www.namehero.com\/startup\/how-to-safely-disable-xmlrpc-in-wordpress-while-keeping-jetpack\/'>How To Safely Disable XMLRPC In WordPress (While Keeping Jetpack)<\/a><\/li>\n<\/ul>\n<p><b><i>Did you know?<\/i><\/b><\/p>\n<p>There are occasions you want to know what IP address the rest of the net sees you at, your so called &#8220;public IP address&#8221;.  Just type <font size=1>(rather than assume 999.9.99.9 &#8230; chortle, chortle)<\/font> &#8230;<\/p>\n<p><code><br \/>\n<a target=_blank title='my ip address' href='https:\/\/www.google.com\/search?q=my+ip+address&#038;rlz=1C5CHFA_enAU832AU832&#038;oq=my+ip+address&#038;aqs=chrome..69i57j0l5.3742j0j4&#038;sourceid=chrome&#038;ie=UTF-8'>my ip address<\/a> into the address bar or a search engine<br \/>\n<\/code><\/p>\n<hr>\n<p id='fwipt'>Previous relevant <a target=_blank title='Flickr and WordPress Integration Primer Tutorial' href='\/\/www.rjmprogramming.com.au\/ITblog\/flickr-and-wordpress-integration-primer-tutorial\/'>Flickr and WordPress Integration Primer Tutorial<\/a> is shown below.<\/p>\n<div style=\"width: 230px\" class=\"wp-caption alignnone\"><a target=_blank href=\"http:\/\/www.rjmprogramming.com.au\/FlickrFeed\/WordpressBlogConnection\/\"><img decoding=\"async\" style=\"float:left;border: 15px solid pink;\" alt=\"Flickr and WordPress Integration Primer Tutorial\" src=\"http:\/\/www.rjmprogramming.com.au\/FlickrFeed\/WordpressBlogConnection\/Flickr_Wordpress.jpg\" title=\"Flickr and WordPress Integration Primer Tutorial\"  \/><\/a><p class=\"wp-caption-text\">Flickr and WordPress Integration Primer Tutorial<\/p><\/div>\n<p>Photo sharing on the web is very popular, and <a target=_blank title='Flickr Photo Sharing' href='http:\/\/www.flickr.com\/'>Flickr<\/a> is a very popular photo sharing website.  Today we build on <a title='JSON and jQuery Javascript Flickr Feed Tutorial' href='#jjfft'>JSON and jQuery Javascript Flickr Feed Tutorial<\/a> as shown below, and show a Flickr piece of Sharing functionality that allows you to log into Flickr and post a photograph to a WordPress blog as a new posting (cute, huh).<\/p>\n<p><strong>Below are some good background reading for the concepts of this tutorial and to do with using Flickr Photo Sharing, all via Wikipedia:<\/strong><\/p>\n<ul>\n<li><a target=_blank title='XML-RPC' href='http:\/\/en.wikipedia.org\/wiki\/XML-RPC'>XML-RPC<\/a><\/li>\n<li><a target=_blank title='JSON' href='http:\/\/en.wikipedia.org\/wiki\/JSON'>JSON<\/a><\/li>\n<li><a target=_blank title='XML' href='http:\/\/en.wikipedia.org\/wiki\/XML'>XML<\/a><\/li>\n<li><a target=_blank title='RSS Feed' href='http:\/\/en.wikipedia.org\/wiki\/RSS'>RSS Feed<\/a><\/li>\n<li><a target=_blank title='jQuery' href='http:\/\/en.wikipedia.org\/wiki\/JQuery'>jQuery<\/a><\/li>\n<li><a target=_blank title='JavaScript' href='http:\/\/en.wikipedia.org\/wiki\/Javascript'>JavaScript<\/a><\/li>\n<li><a target=_blank title='Flickr image hosting' href='http:\/\/en.wikipedia.org\/wiki\/Flickr'>Flickr image hosting<\/a><\/li>\n<\/ul>\n<p>Link to <a target=_blank title='click picture' href='http:\/\/www.rjmprogramming.com.au\/FlickrFeed\/WordpressBlogConnection\/'>tutorial<\/a> here (where, along the way you&#8217;ll see lots of Flickr Sharing functionalities and great software integration options described &#8230; <a target=_blank title='Flickr Photo Sharing' href='http:\/\/www.flickr.com\/services\/'>start here<\/a>), the work of which resulted in &#8230;<\/p>\n<p><iframe src='http:\/\/www.rjmprogramming.com.au\/wordpress\/?p=5978#main' width=650 height=700><\/iframe><\/p>\n<hr \/>\n<p id='jjfft'>Previous <a target=_blank title='JSON and jQuery Javascript Flickr Feed Tutorial' href='http:\/\/www.rjmprogramming.com.au\/wordpress\/?p=1477'>JSON and jQuery Javascript Flickr Feed Tutorial<\/a> is shown below.<\/p>\n<div style=\"width: 230px\" class=\"wp-caption alignnone\"><a target=_blank href=\"http:\/\/www.rjmprogramming.com.au\/Javascript\/jQuery\/FlickrFeed\/\"><img decoding=\"async\" style=\"float:left;border: 15px solid pink;\" alt=\"JSON and jQuery Javascript Flickr Feed Tutorial\" src=\"http:\/\/www.rjmprogramming.com.au\/Javascript\/jQuery\/FlickrFeed\/Flickr_Ideas-0of.jpg\" title=\"JSON and jQuery Javascript Flickr Feed Tutorial\"  \/><\/a><p class=\"wp-caption-text\">JSON and jQuery Javascript Flickr Feed Tutorial<\/p><\/div>\n<p>Web browser users really like to make use of data feeds and one of the protocol formats they are often using when accessing RSS feeds is JSON (and XML), as outlined below in a Wikipedia entry.   In this tutorial we see JavaScript jQuery library functionality accessing the Flickr image hosting share area used by this domain here at rjmprogramming.com.au and then go on to show you some steps in making a Web Application that could access this Flickr image hosting photo data.<\/p>\n<blockquote>\n<p>JSON (pron.: \/\u02c8d\u0292e\u026as\u0252n\/ JAY-sawn, pron.: \/\u02c8d\u0292e\u026as\u0259n\/ JAY-sun), or JavaScript Object Notation, is a text-based open standard designed for human-readable data interchange. It is derived from the JavaScript scripting language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for many languages.<\/p>\n<p>The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627. The official Internet media type for JSON is application\/json. The JSON filename extension is .json.<\/p>\n<p>The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML.<\/p>\n<\/blockquote>\n<p>Click <a target=_blank title='click picture' href='http:\/\/www.rjmprogramming.com.au\/Javascript\/jQuery\/FlickrFeed\/'>on picture above<\/a> to see the Flickr Feed tutorial using jQuery and JSON.<\/p>\n<p>Link to Flickr Feed live run <a target=_blank title='Flickr Feed' href='http:\/\/www.rjmprogramming.com.au\/FlickrFeed\/'> for rjmprogramming.com.au Flickr photo set (latest 20)<\/a>.<\/p>\n<p><strong>Below are some good background reading for the concepts of this tutorial all via Wikipedia:<\/strong><\/p>\n<ul>\n<li><a target=_blank title='JSON' href='http:\/\/en.wikipedia.org\/wiki\/JSON'>JSON<\/a><\/li>\n<li><a target=_blank title='XML' href='http:\/\/en.wikipedia.org\/wiki\/XML'>XML<\/a><\/li>\n<li><a target=_blank title='RSS Feed' href='http:\/\/en.wikipedia.org\/wiki\/RSS'>RSS Feed<\/a><\/li>\n<li><a target=_blank title='jQuery' href='http:\/\/en.wikipedia.org\/wiki\/JQuery'>jQuery<\/a><\/li>\n<li><a target=_blank title='JavaScript' href='http:\/\/en.wikipedia.org\/wiki\/Javascript'>JavaScript<\/a><\/li>\n<li><a target=_blank title='Flickr image hosting' href='http:\/\/en.wikipedia.org\/wiki\/Flickr'>Flickr image hosting<\/a><\/li>\n<\/ul>\n<p>Link to Flickr image hosting for rjmprogramming.com.au called <a target=_blank title='rmetimages at Flickr' href='http:\/\/www.flickr.com\/photos\/rjmprogramming\/'>rmetimages<\/a>.<\/p>\n<p>Download programming source code and rename to <a target=_blank title='rmetimages Flickr feed (latest 20)' href='http:\/\/www.rjmprogramming.com.au\/FlickrFeed\/FlickrFeed_jQuery_Json.html_GETME'>FlickrFeed_jQuery_Json.html<\/a>.<\/p>\n<p><strong><em>Did you know &#8230;<\/em><\/strong><br \/>\nJavaScript makes a great easy-access Calculator?<\/p>\n<p>Try typing the lines below into the address bar of your favourite browser:<\/p>\n<p>Javascript: eval(512 \/ 380);<br \/>\nJavascript: eval(512 * 380);<br \/>\nJavascript: eval(512 &#8211; 380);<br \/>\nJavascript: eval(512 + 380);<br \/>\nJavascript: eval(512 % 380);<\/p>\n<p>These days we spend so much time on the Internet it is a much quicker way to get to a calculator!\n<\/p>\n<p>You may want to try the new Android App called <a target=_blank title='Flickr Latest 20' href='https:\/\/play.google.com\/store\/apps\/details?id=com.rjmprogramming.flickrlatest20#?t=W251bGwsMSwyLDIxMiwiY29tLnJqbXByb2dyYW1taW5nLmZsaWNrcmxhdGVzdDIwIl0.'>Flickr Latest 20<\/a>.<\/p>\n<p>If this was interesting you may be interested in <a title='Click here to see topics in which you might be interested' href='#d1477' onclick='var dv=document.getElementById(\"d1477\"); dv.innerHTML = \"&lt;iframe width=670 height=600 src=\" + \"http:\/\/www.rjmprogramming.com.au\/wordpress\/?s=Flickr\" + \"&gt;&lt;\/iframe&gt;\"; dv.style.display = \"block\";'>this<\/a> too.<\/p>\n<div id='d1477' style='display: none; border-left: 2px solid green; border-top: 2px solid green;'><\/div>\n<hr \/>\n<p>If this was interesting you may be interested in <a title='Click here to see topics in which you might be interested' href='#d6005' onclick='var dv=document.getElementById(\"d6005\"); dv.innerHTML = \"&lt;iframe width=670 height=600 src=\" + \"http:\/\/www.rjmprogramming.com.au\/wordpress\/?s=Flickr\" + \"&gt;&lt;\/iframe&gt;\"; dv.style.display = \"block\";'>this<\/a> too.<\/p>\n<div id='d6005' style='display: none; border-left: 2px solid green; border-top: 2px solid green;'><\/div>\n<hr>\n<p>If this was interesting you may be interested in <a title='Click here to see topics in which you might be interested' href='#d46142' onclick='var dv=document.getElementById(\"d46142\"); dv.innerHTML = \"&lt;iframe width=670 height=600 src=\" + \"https:\/\/www.rjmprogramming.com.au\/ITblog\/tag\/security\" + \"&gt;&lt;\/iframe&gt;\"; dv.style.display = \"block\";'>this<\/a> too.<\/p>\n<div id='d46142' style='display: none; border-left: 2px solid green; border-top: 2px solid green;'><\/div>\n","protected":false},"excerpt":{"rendered":"<p>If you researched XML-RPC when you read our Flickr and WordPress Integration Primer Tutorial about the capabilities of (the online image repository) Flickr and WordPress automation of blog postings, you&#8217;d have been like me, and have been very enthusiastic about &hellip; <a href=\"https:\/\/www.rjmprogramming.com.au\/ITblog\/xml-rpc-on-wordpress-vulnerability-primer-tutorial\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,37],"tags":[61,151,327,3053,629,1565,1114,1319,1421,1456,3054],"class_list":["post-46142","post","type-post","status-publish","format-standard","hentry","category-elearning","category-tutorials","tag-administration","tag-blog","tag-did-you-know","tag-hack","tag-ip-address","tag-login","tag-security","tag-tutorial","tag-website","tag-wordpress","tag-xml-rpc"],"_links":{"self":[{"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/posts\/46142"}],"collection":[{"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/comments?post=46142"}],"version-history":[{"count":3,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/posts\/46142\/revisions"}],"predecessor-version":[{"id":57610,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/posts\/46142\/revisions\/57610"}],"wp:attachment":[{"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/media?parent=46142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/categories?post=46142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rjmprogramming.com.au\/ITblog\/wp-json\/wp\/v2\/tags?post=46142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}