Tag: api

WordPress disable XMLRPC.php for increased security

I have recently been having a few issues with bots and malicious attacks trying to breach WordPress websites via brute force attacks. From my experience 90% of the websites, I have built or worked on never utilise the xmlrpc service, which is included with WordPress, due to this I decided to simply block any access to this service via Apache, which fixes a number of security related issues.

Code

Place this in your websites .htaccess file to take effect, then simply browser to domain.com/xmlrpc.php and you now get an access denied message.

Block XMLRPC access

# Block XMLRPC access <Files xmlrpc.php> Order allow,deny Deny from all </Files>

1
2
3
4
5

# Block XMLRPC access
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

What is XMLRPC?

The xmlrpc.php allows remote access to your WordPress site, it allows various tools and publishing applications to control and manage content from outside of the normal WordPress admin. For example, a publishing tool may allow you to write new blog posts using an alternative tool (instead of the WordPress admin).

Do I need it?

If you do not use any tools / services which utilise xmlrpc, then you do not need it and can apply the block in this post. For example, if you use the WordPress app to manage your website from your phone then you will need to keep XMLRPC working.

Why block XMLRPC?

Due to the nature of XMLRPC, it allows remote services to connect and perform actions on your website, this creates an additional security risk, and it is very common for malicious attacks to target XMLRPC with bruite-force attacks, trying to guess your password and / or access other services exposed by the XMLRPC protocol.

This code is provided as it and may require changes to work for your needs.

15th June 2021

WooCommerce delayed webhooks using actions scheduler

Recently been contacted by a user who needed the ability to delay the WooCommerce webhooks by x time, this would allow other processes happening on the site to finish instead of firing the webhook straight away, for example waiting for the payment process to finalise. Delaying webhooks is not common practice, however some time special case arises!

Take a look at actions scheduler if you wish to read more into the scheduler system used by WooCommerce.

Code

The following code allows you to delay several WooCommerces webhooks by a set duration (seconds) and also run in two modes.

Single Webhook, creates 1 single webhook but delayed by x seconds.
Multi Webhook, creates 2 webhooks, the normal webhook created by WooCommerce and a second repeat webhook which runs x seconds later.

function filter_woocommerce_webhook_deliver_async($true, $instance, $arg) {
    // Replace default schedule action? (single web hook fired, with delay)
    // Or schedule a seperate delayed action (default webhook fied with a second delayed web hook)
    $singleWebhook = false;
    
    // Target webhook topics
    $targetWebhookTopics = [
        ‘order.updated’,
    ];
    
    // Delay time in seconds
    $delayTime = 300;
    
    // If order.update, we want to create a seperate delayed webhook via schedule actions
    if (in_array($instance->get_topic(), $targetWebhookTopics)) {
        $payload = [‘webhook_id’ => $instance->get_id(), arg => $arg];
        $group = $singleWebhook ? ‘woocommerce-webhooks’ : ‘woocommerce-webhooks-delayed’;
        
        // Schedule a single action to run in 5 minutes, to cause the order.update to fire (delayed)
        // Make sure to run as_next_scheduled_action so multiple instances are not scheduled if one is already scheduled
        if (as_next_scheduled_action(‘woocommerce_deliver_webhook_async’, $payload, $group) === false) {
            as_schedule_single_action(time() + $delayTime, ‘woocommerce_deliver_webhook_async’, $payload, $group);
        }
    }
    
    return $true;
};
add_filter(‘woocommerce_webhook_deliver_async’, ‘filter_woocommerce_webhook_deliver_async’, 10, 3);

function filter_woocommerce_webhook_deliver_async($true, $instance, $arg) {

// Replace default schedule action? (single web hook fired, with delay)

// Or schedule a seperate delayed action (default webhook fied with a second delayed web hook)

$singleWebhook = false;

// Target webhook topics

$targetWebhookTopics = [

‘order.updated’,

];

// Delay time in seconds

$delayTime = 300;

// If order.update, we want to create a seperate delayed webhook via schedule actions

if (in_array($instance–>get_topic(), $targetWebhookTopics)) {

$payload = [‘webhook_id’ => $instance–>get_id(), arg => $arg];

$group = $singleWebhook ? ‘woocommerce-webhooks’ : ‘woocommerce-webhooks-delayed’;

// Schedule a single action to run in 5 minutes, to cause the order.update to fire (delayed)

// Make sure to run as_next_scheduled_action so multiple instances are not scheduled if one is already scheduled

if (as_next_scheduled_action(‘woocommerce_deliver_webhook_async’, $payload, $group) === false) {

as_schedule_single_action(time() + $delayTime, ‘woocommerce_deliver_webhook_async’, $payload, $group);

}

return $true;

};

add_filter(‘woocommerce_webhook_deliver_async’, ‘filter_woocommerce_webhook_deliver_async’, 10, 3);

This code is provided as it and may require changes to work for your needs.

12th November 2020

Tag: api

WordPress disable XMLRPC.php for increased security

Code

What is XMLRPC?

WooCommerce delayed webhooks using actions scheduler

Code