xmlrpc.php related attack

  • I am on a shared host but behind cloudflare (to avoid such situations).
    I was getting what must have been 10s of thousands of requests to xmlrpc.php per minute and this made me reach my cpu limit and cpanel started to reject connections.
    I set cloudflare to ‘i am under attack’ and this blocked most access to my website while I figure out what to do.
    A google search resulted in

    RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]

    # Block attackers by agents
    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp\.WinHttpRequest\.5.*$
    RewriteRule .* https://%{REMOTE_ADDR}/ [R,L]
    </IfModule>

    I added that and while this did not stop the attack, it removed the high CPU usage.

    How long do I keep the rewrite rule? what is the best way to deal with this situation?

Viewing 5 replies - 1 through 5 (of 5 total)

  • You may use the security tips located here
    https://digwp.com/2009/06/xmlrpc-php-security/
    https://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/comment-page-1/

    But best one would be to delete this, if its of no use.

    Thread Starter Hussam Al-Tayeb

    (@hussam-al-tayeb)

    Deleting it won’t help as it will trigger a crazy number of 404 requests which wordpress has to process.
    Right now, the only way that seems to be helping is redirecting requests to xmlrpc.php to a fictional IP.
    I guess I will just keep it like this till the attack subsides. thank you.

    Yes, that’s a good idea.

    This issue has resurfaced as of 4.0

    It is a huge issue, malicious scripts are using this to devalue and consume bandwidth which results in undesirable issues for wordpress users.

    I did not see an entirely useful solution posted

    @the Grey Parrots it appears the link for the reference of security was published a long long time ago.
    “Working with WordPress version 2.8 at the time of this writing.”

    Does anyone have a more detailed method of managing this issue?

    In general there should be a much better understanding of server setups, wp-config.php modifications and adjusting the htaccess file. Since the growing popularity of WordPress today we cannot just install and use an average webserver anymore and just a simple WordPress installation and expect that everything is safe and clean.

    In my experiences with a VPS I learned that there should be much more knowledge of what is going on around WordPress attacks, to configure everthing in the right way. So if you have multiple sites to serve, take care of your knowledge and know what to expect form your hosting provider, especially when you choose an unmanaged VPS.

    The WP Codex should make a special (and easy to find) chapter around all these issues.

    Just my thoughts.

    Peter Luit
    The Netherlands

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘xmlrpc.php related attack’ is closed to new replies.