Leave a Reply

1 comment

  1. I figured I’d just look in the Android application’s source code to see how it communicates. You can quickly see XML-RPC in the source.

    So another way to access the blog is using WordPress XML-RPC support. It was improved and enabled by default in version 3.5 very recently. I don’t understand why they brought it back without the option to turn it off. It was on until 2.6, then turned off by default, and now it’s back in 3.5

    So I found this post. It exaplains how to disable XML-RPC with one line of code which WordPress respects:

    In your wp-cinfig.php file, add this line after require_once(ABSPATH . 'wp-settings.php');:

    add_filter('xmlrpc_enabled', '__return_false');
    

    This entirely disabled any access I had from the Android application. As of now I’m not getting any site lockout notifications by bad logins, mission accomplished!

    Note: Before disabling, I did a test to make sure BWPS does scan bad logins from xmlrpc as well. Locked my self out using my phone on a 3g and got a notification later by email. In case it wasn’t then this whole theory would be questionable. So do yourself a favor and disable xmlrpc now! Unless you actually use it and you’re not under constant attacks from Turkish ip addresses.