Wordpress

How to Stop XMLRPC Attack in WordPress

XML-RPC Attack

Saw a HTTP attack, it sent 12 to 20 requests per second on /xmlrpc.php, then made web server jam. In HTTP access log, we saw a lot of requests like this:

35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401
35.185.90.35 - - [03/Mar/2019:21:35:40 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401

Why was the server jammed? That was because we still allowed the public to access /xmlrpc.php, which costed us extra burdens on server to handle the requests. Meanwhile, the database service consumed CPU and IO resources a lot to deal with following queries.

The sources of attacks usually spoof IP addresses that belong to big internet companies. In this case, the attacker spoofed a Google IP to disguise itself as a normal visitor.

Solutions

Several ways that you can secure your server from XMLRPC attacks:

  1. Deny all requests on /xmlrpc.php
  2. Rename /xmlrpc.php

1. Deny all requests on xmlrpc.php

You can add a HTTP directive to httpd.conf or .htaccess for denying all requests on /xmlrpc.php.

Suppose the root directory of your virtual host is /wp/virtual-host, we append the directive to .htaccess.

[root@wordpress ~]# vi /wp/virtual-host/.htaccess
...
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

Any attempt will receive a http 403 forbidden header. In HTTP access log, we saw it’s different now:

35.185.90.35 - - [03/Mar/2019:21:35:41 -0500] "POST /xmlrpc.php HTTP/1.1" 403 212

Also, unexpected visitors will see the 403 header message like this:

XMLRPC 403 Forbidden
XMLRPC 403 Forbidden

2. Rename xmlrpc.php

In case that you cannot change httpd.conf or .htaccess, you can simply change the filename into a randomized one.

[root@wordpress blog1]# mv xmlrpc.php 4to13j4ig3404-xmlrpc.php

Any attempt will receive a http 404 not found header.

Please note that, HTTP 403 or 404 header consumes very little resources of your WordPress server comparing to HTTP 200 header while attacking. Once the spoofed IP address, the source of attack receive 403, it will stop XMLRPC attack.

Firewall Considerations

Why don’t we filter attacks in firewall? Like I said, those IP addresses disguise themselves as normal visitors, you cannot just block IP in firewall as you thought.

Leave a Reply

Your email address will not be published. Required fields are marked *