xmlrpc.php attacks in wordpress are basically brute force password attacks. The attacks are able to get the passwords (but not usernames) for your wordpress users. Finding the username is trivial. The attackers seem not to be able to use the xmlrpc.php to do anything else besides brute force guess the passwords, but that is plenty.
In addition to brute force guessing, they take considerable resources and on a small VPS, this can act like a denial of service attack.
Are You a Victim of xmlrpc Brute Force Attack:
# grep xmlrpc /var/www/logs/access.log | head
46.105.8.191 - - [21/Feb/2016:14:52:29 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:30 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:31 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:32 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:33 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:34 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:35 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:36 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:37 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:38 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
How to Block xmlrpc Attacks in Apache
This code blocks all access to xmlrpc.php.
vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
How to block xmlrpc attacks in Apache
If you want to allow certain ips to access xmlrpc.php still, you can use code like this:
vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 111.222.333.444 100.200.300.400
</Files>
Hardening WordPress
To further harden wordpress you should review the Hardening WordPress document.
1 reply on “How to Block XMLRPC ATTACKS in WordPress”
What about:
https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/