Categories
Apache Wordpress

How to Block XMLRPC ATTACKS in WordPress

xmlrpc.php attacks in wordpress are basically brute force password attacks. The attacks are able to get the passwords (but not usernames) for your wordpress users. Finding the username is trivial. The attackers seem not to be able to use the xmlrpc.php to do anything else besides brute force guess the passwords, but that is plenty.
In addition to brute force guessing, they take considerable resources and on a small VPS, this can act like a denial of service attack.
ishalluse

Are You a Victim of xmlrpc Brute Force Attack:


# grep xmlrpc /var/www/logs/access.log | head
46.105.8.191 - - [21/Feb/2016:14:52:29 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:30 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:31 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:32 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:33 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:34 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:35 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:36 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:37 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"
46.105.8.191 - - [21/Feb/2016:14:52:38 -0600] "POST /xmlrpc.php HTTP/1.0" 200 55161 "-" "-"

How to Block xmlrpc Attacks in Apache

This code blocks all access to xmlrpc.php.


vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

How to block xmlrpc attacks in Apache

If you want to allow certain ips to access xmlrpc.php still, you can use code like this:


vim /etc/apache2/apache2.conf
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 111.222.333.444 100.200.300.400
</Files>

brute-force-password-xmlrpc

Hardening WordPress

To further harden wordpress you should review the Hardening WordPress document.

Categories
Wordpress

Remove WordPress Revisions


DELETE a,b,c
FROM wp_posts
a LEFT JOIN wp_term_relationships
b ON (a.ID = b.object_id) LEFT JOIN wp_postmeta
c ON (a.ID = c.post_id) WHERE a.post_type = 'revision'

Site Wide Limiting of Revisions in wp-config.php:


define('WP_POST_REVISIONS', false);
//or if you want 1 revision:
define('WP_POST_REVISIONS', 1);

note that you cannot delete all inherits in the wp_post status because each attachment inherits it’s short codes from the published article. If I publish id 271, then have 3 attachments, they’ll be numbered 272, 273, 274