• Resolved droid

    (@android1pro)


    [ Moderator note: title adjusted, please refrain from using help, urgent, emergency, asap, etc. in topic titles. ]

    Hello,

    Please, your urgent timely help is needed now.

    Jetpack plugin that has many millions of users,
    needs complete full access to XML-RPC in order to function

    Jetpack engineer is advising us to ask you to please stop blocking XML-RPC file

    Here is exactly what he said

    “The main issue here is that we are being blocked from accessing
    https://www.android1pro.com/xmlrpc.php?for=jetpack which Jetpack
    requires to function.

    Unfortunately, blocking XML-RPC is not a great solution for fighting
    security risks. It’s akin to selling your car because you don’t want
    it to be stolen.

    Your site’s XML-RPC file is kind of like a communication gateway to
    your site. Jetpack, the WordPress Mobile Apps, and other plugins and
    services will use this file to communicate to your site. If this is
    blocked, you will have other issues pop-up down the road for the same
    reasons.

    Since the block is from wordfence, I recommend asking them to unblock
    your site’s XML-RPC.”

    I already did whitelist the IP he did provide
    however could you please confirm that whitelisting is accurately
    correctly for all of our JetPack IPs for the entirety of the WordFence users?

    Here are ALL IP provided by JetPack engineer:
    122.248.245.244
    54.217.201.243
    54.232.116.4

    and this range: 192.0.64.0/18

    So,
    after the wait of 30 days now, can you at least implement global permission to all IP listed above as a solution in order to allow Jetpack access to XML-RPC file?

    Your prompt processing now is much appreciated

Viewing 4 replies - 1 through 4 (of 4 total)
  • I’m sure WF support will chime in, but I can tell you that as a developer with many WP clients, as many users who want XML-RPC, there are just as many who do not want it enabled.

    Regardless of your blanket dismissal of the risks – it IS a very large security hole that is often exploited by hackers, so on sites who do not need its functionality, it absolutely makes sense to disable it.

    But that is what the whitelisting feature in the Wordfence firewall is for – to allow you to tailor your firewall needs with your site’s user requirements.

    • This reply was modified 7 years, 9 months ago by bluebearmedia.
    Thread Starter droid

    (@android1pro)

    WF Whitelisting of Jetpack IP was done but still same issue remain unresolved
    meaning WF still blocking XML-RPC files access to JetPack plugin which as you know like WF Jetpack is also used by millions of users daily.

    Just discovered this:
    https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/

    So Wordfence doesn’t inherently disable XML-RPC, so something else is causing the blockage… (probably still requiring a tweak to the WF firewall, though…)

    If you go to the Live Traffic section of Wordfence and choose the “Blocked by Firewall” filter, do you see any entries where JetPack is being blocked?
    If so, you should be able to choose “Whitelist Param from Firewall” to disable the block and whitelist that type of request.

    • This reply was modified 7 years, 9 months ago by bluebearmedia.

    Hi @android1pro
    Exactly as @bluebearmedia mentioned, Wordfence doesn’t block XML-RPC, it could be another plugin installed on your website, or a code snippet you added in “.htaccess” file, or something related to Cloudflare as I can see you are using their firewall too.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘xml-rpc issue’ is closed to new replies.