Comments on: Site Maintenance

By: Bryan

Bryan — Fri, 15 Aug 2014 05:17:31 +0000

The program/script is part of the distribution and supports the pingback/trackback feature as well as some of the connections to mobile apps used to post to the site. The new version in 3.92 is supposed to have fixed the problem, but I don’t use it anyway, so I kept the changed permissions.

By: Badtux

Badtux — Fri, 15 Aug 2014 04:45:25 +0000

Interesting. I have xmlrpc.php on my WordPress setup, but I checked the logs and pretty much nobody is using it. I disabled it like you and will see if any of my users complain. (It is not my personal WordPress, it is a club web site that others post actual content to).

By: Bryan

Bryan — Thu, 14 Aug 2014 19:25:47 +0000

They were using pingbacks through an exploit of a weakness in xmlrpc.php. My host changed the permissions on the file to 600₈ to stop them, and I left the change because I don’t need the features it provides. My host saw a jump in the resources being used by my site and investigated. The attack doesn’t have much of an effect on the normal performance of my site, so I didn’t start looking for a problem.

They were going update crazy for a while, so I was waiting for them to slow down. I was planning to upgrade after the Tour and then a hurricane showed up. Just as well as the security update in 3.92 was the necessary fix for the problem my host found. Nearly Free Speech are good people.

By: Kryten42

Kryten42 — Thu, 14 Aug 2014 15:10:46 +0000

Yeah. I just finished updating my test server here. Now I have to wait for theme/plugin developers to upgrade them where required.

WordPress 3.9.2 Security Release — WP 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing!

And soon… WordPress 4! Which promises to be a real PITA at the start! *sigh*