Important security breach on WordPress and Drupal

A security researcher from’s product security team, Nir Goldshlager (Twitter, blog), has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

We strongly encourage you to update your WordPress installations immediately.

If you don’t want to update your WordPress version, for some reason, you can ask your server admin – or you can do it yourself – by adding the following lines to your .htaccess.

# XMLRPC Pingback DDOS Prevention
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all


<FilesMatch "^(xmlrpc\.php)">
	Order Deny,Allow
	Deny from all
	#Allow from x.x.x.


WordPress 3.9.2 Security Release

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.

WordPress and Drupal Denial Of Service Vulnerability Full Disclosure – Break Security