For the last few month we’ve been hearing about the PHPXMLRPC debacle and worm threats towards few major web application including PostNuke, Drupal and Xoops. WordPress is not infected (not that I aware of) because it has a different XML-RPC library called IXR.
Without any notification, my webhosting provider Exabytes Network has taken its own security measurement to avoid such threat. Which is good actually. As a result, all XML-RPC for PHP request is forbidden which include a failure on pingback service failure toward this blog. I have no idea when they did start applying this new settings. Furthermore, according to them When we are getting information on any security threats, all the server will be having the same security measurement applied to prevent all our customer site from exposed to such exploit
. Don’t you love how this guys work? Save us all the trouble indeed.
So today I ask them if they could remove their “xml” security setting on this server and they’d agree. Now all Pingback are back to normal (I think!).
If you like to make your own “security measure” towards XML-RPC for PHP request. Assuming that all XML-RPC file has a standard naming file which is xmlrpc.php, you can put something like this entry inside your httpd.conf;
<files ~ "xmlrpc\.php$">
Order deny,allow
Deny from all
</files>
Basically, it blocks any request to open a filename xmlrpc.php. Indeed they are many ways to do it. This is just one of them.
Why are Pingback so important?
Pingback is a method for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software, like WordPress, support automatic pingbacks where all the links in a published article can be pinged when the article is published.
So basically, if you wrote an entry and put a URL linking to other blog post, it will automatically send an excerpt of the entry to the linked post. Unlike Pingback, TrackBack is a mechanism used in a blog to show a list of other blogs that refer to it. I use this method to track down all other blogs or website that mentioned my blog by using Technorati search. In order to use Technorati services to the fullest, just register an account there and claim your blog.
Drupal no longer uses the PEAR libraries but adapted a more secure library.