Why are xmlrpc.php and wp-cron.php being called so often?

We experienced this just last night.

xmlrpc.php

Lots of traffic to xml-rpc.php is a classic sign of a WordPress pingback attack. By default, pingbacks are turned on in WP. A non-malicious user/website uses this mechanism to notify you that your website has been linked-to by them, or vice versa.

A malicious user can exploit this. If they spoof their HTTP headers, then your server is sending lots of pingback traffic to a third-party server. This could be used, say, to launch a DDOS attack at someone else.

A decent write-up of this, along with a diagram, can be found here by Tim Butler.

If this worries you (and it should), there are suggestions about securing xmlrpc.php elsewhere on StackExchange: How to secure WordPress XMLRPC?

wp-cron.php

At present, there doesn’t seem to be any live vulnerabilities to wp-cron.

That doesn’t mean the out-of-the-box wp-cron is benign. The default config for wp-cron assumes you’re on a web host that doesn’t let you add any cron jobs, and so there’s a crummy workaround that involves spamming your server. If you’re getting lots of requests (say, because you’re being spammed, as per above) then every malicious call to xmlrpc.php is spawning a “by-default” call to wp-cron.

Further reading: The Nightmare that is WP Cron

Note: the solution proposed in this article is cogent and sensible, but may not be paranoid enough. Just because there aren’t any vulnerabilities in WP Cron at the moment doesn’t mean there won’t be in future. Personally, I’d want to add additional server rules only allowing access to wp-cron.php from the server’s own IP address.

As always, YMMV.

deneme bonusu veren sitelerbahis casinomakrobetceltabetpinbahispolobetpolobet girişpinbahis girişmakrobet girişpulibet girişmobilbahis girişkolaybet giriş