Why are xmlrpc.php and wp-cron.php being called so often?

I’m running a WordPress website and I have found from the server logs that xmlrpc.php and wp-cron.php are being requested (POST requests, of course) very frequently–including some suspicious ips that reek of malicious activity or attempts. My understanding is that xmlrpc.php provides an “API” for others to interact with the site. wp-cron.php is for periodic tasks. So why do I see so many requests that those pages? Are hackers looking for some kind of backdoor or security hole?

Related posts

1 comment

  1. We experienced this just last night.

    xmlrpc.php

    Lots of traffic to xml-rpc.php is a classic sign of a WordPress pingback attack. By default, pingbacks are turned on in WP. A non-malicious user/website uses this mechanism to notify you that your website has been linked-to by them, or vice versa.

    A malicious user can exploit this. If they spoof their HTTP headers, then your server is sending lots of pingback traffic to a third-party server. This could be used, say, to launch a DDOS attack at someone else.

    A decent write-up of this, along with a diagram, can be found here by Tim Butler.

    If this worries you (and it should), there are suggestions about securing xmlrpc.php elsewhere on StackExchange: How to secure WordPress XMLRPC?

    wp-cron.php

    At present, there doesn’t seem to be any live vulnerabilities to wp-cron.

    That doesn’t mean the out-of-the-box wp-cron is benign. The default config for wp-cron assumes you’re on a web host that doesn’t let you add any cron jobs, and so there’s a crummy workaround that involves spamming your server. If you’re getting lots of requests (say, because you’re being spammed, as per above) then every malicious call to xmlrpc.php is spawning a “by-default” call to wp-cron.

    Further reading: The Nightmare that is WP Cron

    Note: the solution proposed in this article is cogent and sensible, but may not be paranoid enough. Just because there aren’t any vulnerabilities in WP Cron at the moment doesn’t mean there won’t be in future. Personally, I’d want to add additional server rules only allowing access to wp-cron.php from the server’s own IP address.

    As always, YMMV.

Comments are closed.