Post by (@david-maas) on Mon, 16 Mar 20 22:08:24 +0000 View Full Post I just read (reddit/r/asknetsec) about a way of unmasking Wordpress sites behind load balancers that requires no SSL searching at all. You can make the Wordpress xmlrpc.php file connect to other sites as part of the pingback feature! Discussion: https://securityboulevard.com/2019/06/ip-disclosure-of-servers-behind-wafs-using-wordpress-xml-rpc/ Then to get past cloudflare all I had to do was reform the request as a system.multicall request, an example request can be found here: https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/ Voila, now I can find the real ip behind any cloudflare protected Wordpress site that hasn't disabled xmlrpc.php. You'd be surprised how many extremely fly-by-night sites use Wordpress. The pingb.in thing is from the first article, my own webserver would have worked just as well.