Does the bulletproof protect 3.9.1 XML Quadratic Blowup Attack?

This XML-RPC DDoS PROTECTION Bonus Custom: https://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/ does protect against this attack and other types of XML-RPC exploitation attempts (spammers predominately attempt to exploit XML-RPC vs hackers), but as long as you have at least WordPress 3.9.2 installed then your site is already protected against the XML Quadratic Blowup Attack.

Or probably a better way to phrase this statement – “spammers predominately attempt to exploit XML-RPC vs hackers” – would be the ratio of spam-like exploitation attempts to exploit the XML-RPC Library signficantly outnumber other typical forms of website hacking attempts to exploit the XML-RPC Library due to the nature of what the XML-RPC Library is used for.

Hi ATIpro,

Thanks for the quick reply and the resources.

From your reply, if i’m not wrong, if i follow the steps, it will add extra bonus to prevent XML blow up attack.

My question is more like, if a website is still using 3.9.1, earlier already has bulletproof basic up (non pro version), protection of the .htacess etc set up.

Is it still vulnerable to the XML Quadratic Blowup Attack? (without the XML-RPC DDoS PROTECTION Bonus Code in the link given)

Yes, I believe that if someone did not have any sort of XML-RPC protection on their website then it is possible that their website could be attacked. The odds of that actually happening are probably 100,000 to 1 (or more), unless of course your site is on a hacker’s hitlist. Typically DoS/DDoS attacks target a specific host for a specific reason and are not done randomly like most other forms of automated hacking.

I think this is important to mention. 90% or more of all hacking is automated with hackerbots. hackerbots are given a set of parameters: vulnerabilities/exploits to look for. This is referred to as hacker recon. If a bot finds a vulnerability/exploit on a website then depending on the hackerbot’s sophistication it will either hack the site immediately or it will phone home that this website has a particular exploit/vulnerability.

The point being that active and preventative website security measures keep your website from being hacked or being catalogued as a hackable site.

Example scenario: websiteA is phone homed to a human hacker by a hackerbot as having a possible vulnerability/exploit. The human hacker may decide to attack the site personally if the target has some value.

So in other words, due to the some protection has been set up in the website I was talking, chances of being attack is much lesser.

Though some actions still must be taken if the website wants it to be safe.

Unless there is special reasons or REAL plain bad luck, the website is consider “safe”to a some degree due to the set up website had.

Background information:
the website has long string of password and non default admin username.
set up basic bulletproof protection
login has change to custom url, (though i read before somewhere that you said it’s useless actually)

Please correct me if I understand it wrongly from your replies.

Thanks for the explanation.

P.S. I gave a 5 stars review, it hopes it helps abit in some way ??

In general, most automated hacking is done in volume/bulk looking for easy targets. If your site is not an easy target then the automated hackerbots will move on to other easy targets. ??

FTP password cracking is a primary target for hackers and this is automated as well. Make sure that you have a very strong FTP password and also obfuscate the FTP username. Example FTP Username: g4rukq6vbp3.

Changing the login page url may be beneficial, but having actual real security protection on the login page is the optimum security method. A bot may or may not find the login page url if you are trying to hide it. If you have actual login security protection on your login page then it does not matter if the login page is hidden or not – it would be protected.

For most of our sites we want folks to be able to register and login to those sites. For all of our testing sites only we login into those sites. We use the IP based Brute Force Login page protection code in this link on those testing sites: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/. The login page is not hidden and only our IP addresses are allowed to access the login page to login to those sites and all other IP addresses are forbidden/blocked from accessing the login page.

Thanks for the 5 star rating. Very much appreciated!