Host restrictions on XML-RPC

Unless the host is willing to relent, a replacement might be in order.

I wish it was that simple!

See I write the software that many people use (with many different hosts) and the issue is getting worse. It’s very wide spread with varying degrees of response from hosts. Perhaps a WordPress mod might have thoughts because they must see it too!?

What are you doing that sets of the host implementing IP banning? Does other apps such as the iPhone/Android WordPress app get banned too?

There have been multiple reasons for banning. Typically banning is a frequency or total data issue – we think.

We upload photo based posts and each image does a newMediaObject call through the MetaWeblog API.

It’s fairly standard but we noticed such a huge uptick in ‘security’ measures that we need to be considering alternatives…

Speaking as a host….

Anything that sends a lot of traffic to xmlrpc, specially login information, is pegged as possibly abuse. This is done via many methods, but most popular is a melange of mod_security and fail2ban or iptables, which can say “Aha! This IP sent 100 hits to xmlrpc in 2 minutes! It’s a DDoS!”

And we blacklist.

It’s not my favorite method of protection, but given the alternatives (which is crashing a server because those dipsticks who like to brute force WP hit xmlrpc pretty regularly), it’s the lesser of the evils. For some reason, image uploads trigger this more often.

My suggestions:

1) Make a STANDARD User-Agent for your app. Example: User-Agent: Adobe Photoshop Lightroom Make it as explicit as you can (someone asked me to whitelist User-Agent: Blog … ?_??)

2) Contact the hosts and ask if it’s possible for them to whitelist you.

I know it sucks, but that’s the world we’re in until the JSON API takes flight fully and we can all use it. xmlrpc … sucks. It’s not efficient, it’s not secure, and it’s easy to abuse.

If you need help at DreamHost, you can hit me up personally at mika.epsteinATdreamhost.com and I’ll see what I can do.