Is your WordPress site slow? XML-RPC could be under attack!

Recently, a WordPress site I manage was having serious downtime issues. Calling the site from a browser resulted in a lag time of many minutes!

Upon looking at the running processes on the server, the list contained multiple Apache processes, around 20, all running at around 20MB each. The maths comes in at 400MB of RAM being used for the the Apache processes and that was resulting in all the allocated server RAM, as well as 100% of the CPU, being consumed. This meant no new client connections were served.

Multiple hard reboots of the server did not solve the problem. The Apache processes were back almost as soon as the server came back up. This was fishy as that meant the connections were sustained in some manner.

On further inspection it appeared that 18 of the Apache processes were connections from a single IP address and they were all requesting a single file – xmlrpc.php

As it happens this is quite a popular way to attack a website and crash it. Although I’m still looking for a long-term solution, in the short term I’ve blocked that IP. Another way to safeguard your site is to control access to xmlrpc.php via your .htaccess file. However take care with this file as it can prove to be quite useful. More here –

I’ll post more when I have a real solution.

Update: The WordFence site has some more information on XML-RPC as a security risk and how to disable it.

Keep your WordPress site secure

wp-logo-blue-150x150More and more websites are using WordPress as their back-end Content Management System due to its ease of use and excellent built-in search-engine-optimization.

However, as with all software, WordPress does have bugs that are exploited to wreak havoc on your site.

This blog article talks about upgrading your WordPress installation to ensure the latest security patches have been applied and of the latest WordPress vulnerability.

Facebook apps stealing data and spamming reports on some Facebook apps that steal login details and spam victims’ friends lists. Some of the Facebook apps mentioned in the report are:

  • Stream
  • Posts
  • Your Photos
  • Birthday Invitations

As always, when using social networking sites watch out what apps you use and ask yourself if you absolutely have to use every app that comes your way!

Read the story here

What information does Google collect about you, the browser?

Danny Dover has written an amazing article over at SEOmoz about the information Google tracks and collects about every user to  its many service web sites e.g. from GMail, Google Desktop, Google Docs, Postini, YouTube, FeedBurner etc.

Most Internet users are aware of the usual information collected but here Danny Dover has put together an exhaustive list from how Google collects information to what it does with it;
If you’re incolved in Search Engine Optimization or even responsible for your organisations information security this is a post well worth reading.

Check it out here

Byron Review – UK Government to Review Internet Risk to Kids

Young kids today face a completely different world to that experienced by their parents. In fact, even only a short time as 10 years ago kids weren’t exposed to the kind of media they now have easy access to.

Always-on access to the Internet has brought many risks to children and these are now to be assessed under the Byron Review here in the U.K. Dr Tyra Byron, a clinical psychologist, will head the review process that will also look at other media including video games.

To learn more visit The Byron Review site and get involved in the Call for Evidence by clicking here (closing date 30th Nov 2007).

Planning your party using a social network? Watch Out!!

As the new university and college year has kicked off, many are kegging up for the ‘freshers’ parties. Planning parties using social networks like Facebook and MySpace is becoming popular due to the sheer ease with which it’s possible to get invites out. But there is a dark side to this…

Considering the ‘open-ness’ of such networks, gatecrashing with the motive to steal is becoming widespread. Laptops, mobiles, iPods, Blackberrys, PSPs and other popular electronic wares make for easy picking whilst the owner is busy looking down into a bottle or passed out on a sofa.

It’s reported that a party organised on MySpace earlier this year cost an extra $40,000 as various items went missing the morning after.