wordpress by-default vulnerability to botnet abuse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wordpress (Juju Charms Collection) |
New
|
Undecided
|
Unassigned |
Bug Description
Sucuri recently announced that Wordpress has an insecure default configuration that makes it trivial to abuse Wordpress sites for distributed denial of service attacks, if not worse. The Wordpress developers do not intend to fix the problem; Sucuri has some advice for operators to prevent their sites from participating in the attacks, which can save greatly on traffic egress costs in cloud environments, if not prevent public cloud providers from disabling egress from affected machines entirely.
Their suggestion is to create a plugin to add a new filter:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[
return $methods;
} );
It would be nice if this were a default step in Juju Wordpress charm installations; this may negatively impact the usability of the pingback feature, so perhaps also add a juju-exposed control to allow pingback (and also allow participating in DDoS attacks).
Thanks