A¬†security researcher from Salesforce.com‚Äôs product security team, Nir Goldshlager (Twitter, blog), has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.
We strongly encourage you to update your WordPress installations¬†immediately.
If you don’t want to update your WordPress version, for some reason, you can ask your server admin – or you can do it yourself – by adding the following lines to your .htaccess.
# XMLRPC Pingback DDOS Prevention <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all #Allow from x.x.x. </FilesMatch>
WordPress 3.9.2 Security Release
WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP‚Äôs XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.
WordPress and Drupal Denial Of Service Vulnerability Full Disclosure – Break Security