Categories
Apache Wordpress

How to Block XMLRPC ATTACKS in WordPress

xmlrpc.php attacks in wordpress are basically brute force password attacks. The attacks are able to get the passwords (but not usernames) for your wordpress users. Finding the username is trivial. The attackers seem not to be able to use the xmlrpc.php to do anything else besides brute force guess the passwords, but that is plenty.
In addition to brute force guessing, they take considerable resources and on a small VPS, this can act like a denial of service attack.
ishalluse

Are You a Victim of xmlrpc Brute Force Attack:


# grep xmlrpc /var/www/logs/access.log | head
46.105.8.191 - - [21/Feb/2016:14:52:29 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:30 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:31 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:32 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:33 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:34 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:35 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:36 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:37 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:38 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"

How to Block xmlrpc Attacks in Apache

This code blocks all access to xmlrpc.php.


vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

How to block xmlrpc attacks in Apache

If you want to allow certain ips to access xmlrpc.php still, you can use code like this:


vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 111.222.333.444 100.200.300.400
</Files>

brute-force-password-xmlrpc

Hardening WordPress

To further harden wordpress you should review the Hardening WordPress document.

1 reply on “How to Block XMLRPC ATTACKS in WordPress”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.