WordPress plugin to allow JetPack access to xmlrpc.php

So, lately there have been a lot of attacks on our customers’ XML-RPC interfaces on WordPress. Just blocking access to xmlrpc.php will stop JetPack from functioning properly, so we could not do that.

So, tonight I put together this WordPress plugin: https://github.com/alfreddatakillen/stop_xmlrpc_attack

On a regular basis, it will poll ARIN to get all subnets that belongs to Automattic. Then it will write to your .htaccess, blocking all access to your xmlrpc.php, except from Automattic’s subnets.

WordPress XML-RPC under attack

Update: Use this plugin instead. It will keep the subnets up-to-date by polling ARIN.

Lately, we and our customers have had a shitload of brute force attacks / DOS / DDOS, targeting the XML-RPC interface in WordPress. First, we just blocked xmlrpc.php in our .htaccess, but soon JetPack started to complain. Automattic must ping the JetPack plugin from time to time.

So we opened up access to xmlrpc.php from Automattic only, adding all Automattic’s subnets in the .htaccess. This is how:


A proposal: Server-side DHT for WebRTC signalling

WebRTC lacks a server-free way for initiating peer-to-peer connections (“signalling” in WebRTC terminology). The coolest way, of course, would be to add support for DHT in web browsers. However, I can’t see it coming. So what would be the second coolest way? Well, my proposal would be to just outsource the DHT to the server. With a standardized server-to-server protocol and server-side DHT, there is no need for complex centralized server infrastructure.

So, how would I implement a proof-of-concept?

I would use socket.io to connect the web browser to it’s server. The web browser just tells it’s server what services/protocol it has. The server then uses DHT (for example the nodejs bittorrent-dht module) to announce it’s client’s setup, and listens for other servers with a similar client. When there is a match, the servers connect to each other (using server-to-server socket.io) and passes messages between their clients, making it possible for the clients to initiate a peer-to-peer WebRTC connection.

I might even try to build such a proof-of-concept when there is more time…
(If no one else does it.)

Local Ionic and Cordova, without sudo

So, all tutorials and documentation on Ionic Framework tells you to install ionic and cordova globally (using “npm -g cordova” and “npm -g ionic”).

That is just so ugly. How am I supposed to use different versions in different project, and what if I don’t have sudo accesss?!

Just installing ionic and cordova locally (skipping the -g parameter) does not work, since ionic and cordova will not find each other. So ionic and cordova must be in your PATH, but again, that will lead to headache when dealing with multiple project with different versions of ionic/cordova.

My solution to this is to start all projects with a Makefile, which keeps track of the PATH for the project, and put the ionic/cordova commands that I use into that Makefile. Something like this:

So, first run “make deps” to install cordova and ionic into your local node_modules/.

Then “make start” to create the project. Note that this make command will actually create the project in a subdirectory and then copy it into the same directory as your Makefile. (The ionic command line does not support “ionic start .” for creating a project in the current directory.)

Now you can “make serve”, or add other ionic commands into your Makefile.