WP <= 6.1.1 – Unauthenticated Blind SSRF via DNS Rebinding

Hi @merkucio, thanks for your message.

Our documentation on Wordfence Intelligence Community Edition should explain what we know and recommend regarding this: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-611-unauthenticated-blind-server-side-request-forgery

I hope that helps you out!
Peter.

@wfpeter,

Hello. Ok, it’s recommended to block xmlrpc.php at the web server level but how to do this? Is it possible using your plugin?

Hi @merkucio,

“Disable XML-RPC authentication” appears in Wordfence > Login Security > Settings. You can also block this route entirely using .htaccess , provided you don’t use the WordPress app or a plugin that requires it such as Jetpack:

#Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Thanks again,
Peter.