Random 503 errors when uploading images using xmlrpc

wordpress

#1

Today I’ve received random 503 errors when trying to upload images to my blog using xmlrpc. Sometimes it works, but sometimes I get 503 errors. If I wait a few minutes and try again, then the error goes away.

I’ve used the same method for several years, with no problems. The only recent change was moving my blog to DreamPress. I wonder if some security setting there is throttling my use of xmlrpc?

Thanks,

Andrew


#2

What are you using that uses xmlrpc? I’ve heard some issues with MarsEdit.


#3

Its a Lightroom plugin that posts images to a NextGen gallery.


#4

Are you using http://alloyphoto.com/plugins/nextgen/nextgen-faq/? I am having the same problem - as you cans see from the comments on the faq page. I have an open support request to ask what if anything can be done.


#5

Ian, if you want to tell NextGen to contact me about this, my email is mika.epstein AT dreamhost.com and they know me :slight_smile:


#6

I kind of feel like it is difficult to fault NextGen from creating an XML api for uploading or Alloy for using it to upload pics from LightRoom or even Dream Host for having careful security measures. Is it something that the NextGen programmers can actually address? What could be done to make things better. I can certainly contact them and see if some thing can be worked out.

Dream Host support told me I could turn off the Extra Web Security ala this page:

I have not experimented with the IP specific option - I just wanted to start with did turning it off help. It did.

Thank you for looking at this


#7

I don’t fault them at all! Oh gosh no, it’s WAY bigger than that.

Let me explain:

  1. XMLRPC lets apps talk to WP without being IN WordPress. The WP iphone app uses it.

  2. Hackers like to use this too, so they try to DDoS your site by hammering that.

  3. We block multiple repeated connections from one IP in too short a time span because of #2. To do that, we use ModSecurity.

  4. Some apps using XMLRPC are more chatty than others, and cause more traffic because of it. image uploads are almost always the big offender just because of how they have to work.

  5. You get a 503 :confused:

So there are a couple fixes here. Turn off ModSecurity is one, and it’s not a good one because it means we can’t stop the ddos attacks on you anymore! So if some botnet targets your wp-login.php file, you’re going to crash :frowning: Another fix is for them to be ‘less chatty’ which is not easy. A third would be for WP to use a better protocol (which actually is being worked on as the JSON API). Finally we have a middle of the road one we’re working on, where we work WITH the apps to try and find a way to safely whitelist the specific app in a way that will still protect you.

Hence please do ask them to ping me so I can work with them to see if we can do that last one :slight_smile: We don’t like whitelisting all the time, since it can be faked and abused, but it’s better than a 503 and better than turning off ModSec.


#8

[quote=“Ipstenu-DH, post:7, topic:61503”]
Finally we have a middle of the road one we’re working on, where we work WITH the apps to try and find a way to safely whitelist the specific app in a way that will still protect you.[/quote]

Thanks for the explanation - it confirms what I have learned while looking into this issue. Yes, blanket turning off of the protection is not desirable. I was not aware of the middle ground option of having dreamhost work with the plug-in devs to find a safe way to white list their app. I like it.

OK when I get home from work tonight I will look up my contact info for NextGen (and the LightRoom plug-in) and send them your contact info.

Thank you very much for looking at this.

Ian