xmlrpc denial of service

  • Over the past year all my sites have come under this really effective denial of service attack. I must be setting something up wrong! With both Apache and Nginx a site with upwards of 4gb ram avail on a proper VPS will become completely unresponsive and unavailable.

    The logs show mega spam targetting xmlrpc.php…

    This has been going on a long time, so i’m sure i’m just missing something in my configs. What do I need to do to protect from this attack?

    (only way so far has been to put the site behind cloudflare, then block all traffic coming from elsewhere… but i can’t do this on all the sites I maintain).

    Thanks for your help!

Viewing 5 replies - 1 through 5 (of 5 total)

  • Sounds like Cloudflare (paid account?) and your host (unless you’re running your own server) need to help with DDOS attacks.

    If not, do you have access to xmlrpc.php disaled? Do you use it for posting or coments? See https://www.ads-software.com/plugins/search.php?q=disable+XML-RPC

    Or use

    <Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    in .htaccess in Apache. Or

    location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444; 
}

    inside the server block on Nginx.

    • This reply was modified 8 years, 5 months ago by Mark Ratledge.
    Thread Starter owenw

    (@owenw)

    Thanks for the suggestions.

    These attacks aren’t even DDOS attacks, they come from 1 or 2 ip’s (that do change occasionally). It works to bring down just about any WordPress site with ease. Could this be a bug that needs reporting? (I’ve run into this a few times with different sites I manage. All on Linode VPS’s.)

    I’ll try disabling xmlrpc! I think I can get away without its benefits. But i was hoping I’d been doing something wrong, given how easy this attack is to bring down WordPress on a vps..

    These attacks aren’t even DDOS attacks, they come from 1 or 2 ip’s (that do change occasionally).

    Block them manually in .htaccess:

    
order deny,allow
deny from 12.45.567.90
deny from 23.456.789.45
allow from all

    Wrong terminology; one or two IPs is not DDOS. Block the IPs as barnez says, either in .htaccess – the most efficient in terms o server load – or with something like https://www.ads-software.com/plugins/wp-ban/

    given how easy this attack is to bring down WordPress on a vps…

    A VPS, when properly configured will stand a lot of abuse. You may simply not have configured Apache/Nginx, PHP and MySQL to handle high loads.

    • This reply was modified 8 years, 5 months ago by Mark Ratledge.

    Traditional cPanel VPS providers use multiple technologies or tools, such as fail2ban, to ban the IPs temporarily or rate-limit such IP’s. Linode VPS is an unmanaged VPS where such tools may not have been installed by default. In such cases, you may use the plugin (WP-Ban) already mentioned by Mark. However, since multiple sites are hosted in the same VPS, it is recommended to do these at the server level to reduce their impact on the server.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘xmlrpc denial of service’ is closed to new replies.

Tags