Non-existent page for xmlrpc.php

Here you have an screen-shot

At least, 47 entries in the last 24 hs.

I get a “403 forbidden” message from the site where the screenshot was posted. Can you try posting it again, or make the existing one public?

I haven’t seen any sites showing 404’s for xmlrpc.php yet. I have your recent access log file from your other post here, and I see a lot of “500” errors on xmlrpc.php, which generally means the server couldn’t process the request. Are you using any other software to block it, or does your host use mod_security or another measure to block this file?

It may also be possible that you’re being attacked by a bot that is so poorly made, that it isn’t using xmlrpc.php correctly, or it’s looking for a flaw that doesn’t make sense on your particular server. (Possibly something outdated that doesn’t work anymore.)

Also, do the “non-existent page” messages say that the visitors left a page, and then went to xmlrpc.php? (That may be a different issue, if so.)

Another link: screen-shot

Two of my sites show 404 errors for xmlrpc.php. The other one, 7 to 8 days ago had this messages:

left /wp-login.php and tried to access non-existent page /wp-login.php

It may also be possible that you’re being attacked by a bot that is so poorly made, that it isn’t using xmlrpc.php correctly

I’m receiving a lot of mails from hack attempts for ‘admin’, so it could be.

I just checked the log for the site of the screenshot. For the first entry, I found this:

195.146.145.230 - - [16/Sep/2015:07:24:28 -0700] "POST /xmlrpc.php HTTP/1.1" 500 12240 "-" "-"
195.146.145.230 - - [16/Sep/2015:07:24:29 -0700] "POST /xmlrpc.php HTTP/1.1" 500 12240 "-" "-"

Looking at the same log for today, I found this

178.130.7.49 - - [16/Sep/2015:13:11:54 -0700] "GET /wp-login.php HTTP/1.1" 200 2988 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
178.130.7.49 - - [16/Sep/2015:13:11:55 -0700] "POST /wp-login.php HTTP/1.1" 302 - "https://mysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
178.130.7.49 - - [16/Sep/2015:13:11:56 -0700] "POST /wp-login.php HTTP/1.1" 302 - "https://mysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

There are a lot of this entries from different IPs

Are you using any other software to block it, or does your host use mod_security or another measure to block this file?

I checked PHP info and there is no mod_security. I just use Wordfence.

The “500” errors are not normal if you don’t have anything intentionally blocking xmlrpc.php, but it could be something else your host is doing. A 500 error is usually shown as an “Internal server error” when a visitor sees it, but it looks like these are attempts to break in, in one way or another.

I think mod_security may not appear in phpinfo even if it’s installed. (It’s an apache module, and not a php extension — some Apache servers may show it in a string that phpinfo would show, but some may hide it.)

The wp-login.php attempts in your log look like normal (bad) login attempts, but I don’t know why some of them might have shown up as non-existent pages. I do see one in the log you had sent where someone tried to access /blog/wp-login.php though, which is another one that bots sometimes test (by guessing it might exist).

Your host may be able to tell you more about what happened on any of those visits with the “500” response code, or you might find details in your site’s error log file.

By chance, I was in my host cPanel and a lot of Entry Processes appeared. Then, all my resources went to Red. I checked the log and there was one IP doing a DDoS attack:

91.207.158.91 - - [04/Oct/2015:17:12:11 -0700] "GET /wp-includes/pomo/?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 68288 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:12 -0700] "GET /wso.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 68272 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:32 -0700] "GET /info.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:36 -0700] "GET /wp-content/218.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:37 -0700] "GET /wp-content/lib.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
...

Again, from their first attempt they got a 500 code. However, they were still eating my resources.

Wordfence was not able to block this, surely because my host was in the middle (I guess). I had to manually block the IP in my server. Unfortunately, I disable Live Traffic so I can’t say if Wordfence logged something.

If you can find your site’s error log file (usually named error_log or error.log, but it appears in different places on different hosts), you might be able to find out what was causing the 500 error.

The 500 code usually shows up if something is wrong in the server setup or .htaccess, but it could be from other plugins or something the host has set up.

If it’s a server or .htaccess issue, it would be before Wordfence has a chance to run, but there wouldn’t be much it could tell you about these attempts. These hits also have different sizes — the first two are 68k, the last 3 are 276.. your host could tell you if they are doing something specific to cause bad hits to get a “500” error like this.

-Matt R

I checked and the error log does not have corresponding logs for those times and tons of attempts.

It’s definitely something with GoDaddy. Tired of seeing 500 errors with xmlrpc.php, I disabled it and added a “Deny from all” for that file in .htaccess. In my test server I got the 403 forbidden response, but in GoDaddy server the response is 404 Not Found. Now, the hack attempts cause 404 and 503 response codes.

Ok, if you have a “Deny from all” in the .htaccess for that URL and keep getting different response codes (404 and 503), then it must be something the host is doing. I would expect it is mod_security (an Apache module), but may also be something else.

GoDaddy could probably tell you what they block, but they may have very complicated rules set up, possibly including third-party rules that they don’t maintain themselves, so it may be more complicated than their support people can explain. If the bad visits are being blocked though, and no legitimate traffic is being blocked, then it should be ok.

I think that’s all we can do here, since the visits are being blocked before they get to WordPress & Wordfence. Thanks!

-Matt R

Yes, I think we can say that this was related to the host and not to Wordfence. Thanks!

I just found this: Brute Force Amplification Attacks Against WordPress XMLRPC.

So, maybe the 500 errors on POST /xmlrpc.php that I mentioned were actually exhausting my host.

I wanted to share this new hack. Currently and luckily, I disabled everything related to XMLRPC.

Thanks — Wordfence does block those attempts already too, but before they reached WordPress, your host may have blocked them with another method (like mod_security) or they could have limits set on the incoming request size — such long requests could go over a reasonable limit.

We have a couple recent articles from the past week too, if you are interested:

WordPress XML-RPC Brute Force Attacks with multiple logins

Should You Disable XML-RPC on WordPress?

-Matt R

Nice, thanks for the info!