WordPressのXMLRPCって便利なのですけどpingbackスパムやログイン攻撃の的になるんですよね。
スカイプでそんな事を話していたら、同じくWordPressを持ってる人に「まじ?どうすればいいの?」と言われたので、うちのブログで使っているヤツのコードを組み直して渡しました。
コードはこれ
class kerberos_xmlrpc_filter { private $config = [ 'disable-rpc' => false, 'remove-pingback-header' => false, 'filter' => [ 'enable' => true, 'process' => 1, // 0 = remove method and continue WP, 1 = HTTP 403, 2 = exit 'message' => [ // process = 1 or 2 'enable' => true, 'status' => 200, 'content-mime' => 'text/plain', 'message' => 'You don\'t have permission to access on this server.' ], 'methods' => [ // WordPress API 'demo.sayHello' => ['enable' => true, 'process' => 0], 'system.multicall' => ['enable' => false, 'process' => 0], 'wp.getUsersBlogs' => ['enable' => false, 'process' => 0], 'wp.newPost' => ['enable' => false, 'process' => 0], 'wp.editPost' => ['enable' => false, 'process' => 0], 'wp.deletePost' => ['enable' => false, 'process' => 0], 'wp.getPost' => ['enable' => true, 'process' => 0], 'wp.getPosts' => ['enable' => true, 'process' => 0], 'wp.newTerm' => ['enable' => false, 'process' => 0], 'wp.editTerm' => ['enable' => false, 'process' => 0], 'wp.deleteTerm' => ['enable' => false, 'process' => 0], 'wp.getTerm' => ['enable' => true, 'process' => 0], 'wp.getTerms' => ['enable' => true, 'process' => 0], 'wp.getTaxonomy' => ['enable' => true, 'process' => 0], 'wp.getTaxonomies' => ['enable' => true, 'process' => 0], 'wp.getUser' => ['enable' => false, 'process' => 0], 'wp.getUsers' => ['enable' => false, 'process' => 0], 'wp.getProfile' => ['enable' => false, 'process' => 0], 'wp.editProfile' => ['enable' => false, 'process' => 0], 'wp.getPage' => ['enable' => true, 'process' => 0], 'wp.getPages' => ['enable' => true, 'process' => 0], 'wp.newPage' => ['enable' => false, 'process' => 0], 'wp.deletePage' => ['enable' => false, 'process' => 0], 'wp.editPage' => ['enable' => false, 'process' => 0], 'wp.getPageList' => ['enable' => true, 'process' => 0], 'wp.getAuthors' => ['enable' => true, 'process' => 0], 'wp.getCategories' => ['enable' => true, 'process' => 0], // Alias 'wp.getTags' => ['enable' => true, 'process' => 0], 'wp.newCategory' => ['enable' => false, 'process' => 0], 'wp.deleteCategory' => ['enable' => false, 'process' => 0], 'wp.suggestCategories' => ['enable' => true, 'process' => 0], 'wp.uploadFile' => ['enable' => false, 'process' => 0], // Alias 'wp.deleteFile' => ['enable' => false, 'process' => 0], // Alias 'wp.getCommentCount' => ['enable' => true, 'process' => 0], 'wp.getPostStatusList' => ['enable' => false, 'process' => 0], 'wp.getPageStatusList' => ['enable' => false, 'process' => 0], 'wp.getPageTemplates' => ['enable' => false, 'process' => 0], 'wp.getOptions' => ['enable' => false, 'process' => 0], 'wp.setOptions' => ['enable' => false, 'process' => 0], 'wp.getComment' => ['enable' => true, 'process' => 0], 'wp.getComments' => ['enable' => true, 'process' => 0], 'wp.deleteComment' => ['enable' => false, 'process' => 0], 'wp.editComment' => ['enable' => false, 'process' => 0], 'wp.newComment' => ['enable' => false, 'process' => 0], 'wp.getCommentStatusList' => ['enable' => false, 'process' => 0], 'wp.getMediaItem' => ['enable' => false, 'process' => 0], 'wp.getMediaLibrary' => ['enable' => false, 'process' => 0], 'wp.getPostFormats' => ['enable' => false, 'process' => 0], 'wp.getPostType' => ['enable' => false, 'process' => 0], 'wp.getPostTypes' => ['enable' => false, 'process' => 0], 'wp.getRevisions' => ['enable' => false, 'process' => 0], 'wp.restoreRevision' => ['enable' => false, 'process' => 0], // Blogger API 'blogger.getUsersBlogs' => ['enable' => true, 'process' => 0], 'blogger.getUserInfo' => ['enable' => true, 'process' => 0], 'blogger.getPost' => ['enable' => true, 'process' => 0], 'blogger.getRecentPosts' => ['enable' => true, 'process' => 0], 'blogger.newPost' => ['enable' => true, 'process' => 0], 'blogger.editPost' => ['enable' => true, 'process' => 0], 'blogger.deletePost' => ['enable' => true, 'process' => 0], // MetaWeblog API (with MT extensions to structs] 'metaWeblog.newPost' => ['enable' => true, 'process' => 0], 'metaWeblog.editPost' => ['enable' => true, 'process' => 0], 'metaWeblog.getPost' => ['enable' => true, 'process' => 0], 'metaWeblog.getRecentPosts' => ['enable' => true, 'process' => 0], 'metaWeblog.getCategories' => ['enable' => true, 'process' => 0], 'metaWeblog.newMediaObject' => ['enable' => true, 'process' => 0], // MetaWeblog API aliases for Blogger API // see http://www.xmlrpc.com/stories/storyReader$2460 'metaWeblog.deletePost' => ['enable' => true, 'process' => 0], 'metaWeblog.getUsersBlogs' => ['enable' => true, 'process' => 0], // MovableType API 'mt.getCategoryList' => ['enable' => true, 'process' => 0], 'mt.getRecentPostTitles' => ['enable' => true, 'process' => 0], 'mt.getPostCategories' => ['enable' => true, 'process' => 0], 'mt.setPostCategories' => ['enable' => true, 'process' => 0], 'mt.supportedMethods' => ['enable' => true, 'process' => 0], 'mt.supportedTextFilters' => ['enable' => true, 'process' => 0], 'mt.getTrackbackPings' => ['enable' => true, 'process' => 0], 'mt.publishPost' => ['enable' => true, 'process' => 0], // PingBack 'pingback.ping' => ['enable' => true, 'process' => 0], 'pingback.extensions.getPingbacks' => ['enable' => false, 'process' => 0] ] ] ]; public function __construct() { if ($this->config['disable-rpc'] === true) { add_filter('option_enable_xmlrpc', false); } else { if ($this->config['remove-pingback-header'] === true) { add_filter('wp_headers', [$this, 'wp_headers']); } if ($this->config['filter']['enable'] === true) { add_filter('xmlrpc_methods', [$this, 'xmlrpc_methods'], 3); } } } public function wp_headers($headers) { unset($headers['X-Pingback']); return $headers; } public function xmlrpc_methods($methods) { if ($_SERVER['REMOTE_ADDR'] === '127.0.0.1') { return $methods; } if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (isset($_SERVER['POST']) === false) { return []; } foreach ($this->config['filter']['methods'] as $method_name => $method_option) { $postData = $postData = $_SERVER['POST']; if (strpos($postData, $method_name) !== false) { if ($method_option['enable'] === false) { switch ($this->config['filter']['process']) { case 0: unset($methods[$method_name]); break 2; case 1: http_response_code(403); if ($this->config['filter']['message']['enable'] === true) { header('Content-type: '.$this->config['filter']['message']['content-mime']); echo $this->config['filter']['message']['message']; } exit; break 2; case 2: http_response_code($this->config['filter']['message']['status']); if ($this->config['filter']['message']['enable'] === true) { header('Content-type: '.$this->config['filter']['message']['content-mime']); echo $this->config['filter']['message']['message']; } exit; break 2; } break 1; } } } } return $methods; } } new kerberos_xmlrpc_filter();
コードは凄く簡単。
前処理はイロイロあるけど、add_filterでxmlrpc_methodsにフィルターをかける。
XMLRPCにPOSTが飛んでくると$methodsにWordPressで有効になっているメソッド一覧が入っているので、許可しない場合は$methodsから対象のメソッドを削除すればOK。
削除するだけなら処理はWordPressに引き継がれ有効なメソッドではないとのメッセージが表示される仕組み。
このコードは設定でメソッド毎に許可/却下をするだけなので、改造すればイロイロできます。
うちの場合は、公開ブラックリストの照会やデータベースへの記録・過去のデータベースからスパムかどうかの判定などをしています。
設定のdisable-rpcはXMLRPC自体を無効化してしまうので、pingback等を受け取れなくなるので注意です。
最近のコメント