Should You Disable XML-RPC on WordPress?

Wordfence has posted a well written blog post that describes the XML-RPC API and how disabling it will affect your WordPress hosted web site.

Recent improvements to WordPress and Wordfence’s blocking tools have lessened the need to disable the API.

Here is the blog post:

Wordfence is one of the most effective plugins to manage  security for WordPress powered web sites. Learn more about it here:

Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.

WordPress vulnerabilities as reported from WordFence on April 14, 2014.

WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165

WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166

What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.

Plugin Vulnerability: CSRF/XSS vulnerability in Twitget 3.3.1. If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). Vulnerability ID: CVE-2014-2559 (not yet published)

What to do: Upgrade to Twitget 3.3.3 or later which contains a fix. Author is aware of the vulnerability and has fixed it.

Plugin Vulnerability: Quick Page/Post Redirect Plugin contains a CSRF and stored XSS vulnerability. Vulnerability ID is: CVE-2014-2598 (not yet published)

What to do: Upgrade to version 5.0.5 or later. Author is aware of vulnerability and has fixed it.

These reports courtesy of

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

Three new WordPress plugin vulnerabilities and what to do about them

WordFence reports three new WordPress plugin vulnerabilities. These security related issues should be resolved as soon as possible.

The plugin Complete Gallery Manager 3.3.3 contains a remotely exploitable file upload vulnerability. Code Canyon, the vendor, recently released a fix. Immediately upgrade to 3.3.4 which contains a fix for this serious vulnerability.

A shell upload vulnerability has emerged in an older version of Lazy SEO version 1.1.9. Make sure you’re running the newest version of this plugin which is 1.4.1.

An SQL injection vulnerability has emerged in the NoSpamPTI plugin. This plugin is deprecated and is no longer maintained by the developer so we recommend you uninstall it and find an alternative.

Wordfence is a CyberSecurity solution for WordPress providing anti-virus and firewall protection for WordPress installed web sites.