Brute force attack on xmlrpc.php not blocked

  • Resolved mattf10

    (@mattf10)


    5 years, 2 months ago

    I noticed high load on my server and traced it to a single IP posting to xmlrpc.php every second. I have manually blocked the IP at the firewall.

    According to this article and this support topic, Wordfence should be blocking these requests. I looked for anything in settings to do with xmlrpc and the only one I found was to do with requiring 2FA for authentication.

    Have I missed a setting, or have I misunderstood how Wordfence deals with repeated attempts to access site via xml-rpc? I use fail2ban and can create a filter, but would rather Wordfence deal with this if possible.

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @mattf10,

    I suspect what you’re seeing is IPs getting blocked from the attacks. This means it’s working. But we can’t stop them from trying, and Live Traffic will record the actions. There’s only so much we can do to prevent attacks, it’s more about making sure they aren’t successful, which it sounds like Wordfence is doing.

    Thanks,

    Gerroald

    Thread Starter mattf10

    (@mattf10)

    No, the attacks are not being blocked – that’s the problem. Doesn’t WordFence see repeated attempts (1 per second for 2 hours) as a brute force attack and block the IP at its firewall, same as it does for repeated attempts to access wp-login.php?

    Here is a screen shot of the live traffic from yesterday. Notice that none of the attempts are blocked. Why aren’t they blocked?

    Thanks

    Hey @mattf10,

    My apologies for the delay here. I’m looking for older unresolved cases today.

    Wordfence doesn’t specifically block the xmlrpc.php files. It will only Two-Factor authentication attempts via xmlrpc.php if the Disable XML-RPC authentication feature is enabled in Login Security. If you wish to completely block attempts to it you can either use a different plugin or by adding the code below to your htaccess file.

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    Thanks,

    Gerroald

    • This reply was modified 5 years, 1 month ago by WFGerroald.
    • This reply was modified 5 years, 1 month ago by WFGerroald.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Brute force attack on xmlrpc.php not blocked’ is closed to new replies.

Tags