Protecting Wordpress From XML-RPC Attacks

    Follow

    Introduction

    WordPress is a popular and powerful CMS (content management system) platform. Its popularity can bring unwanted attention in the form of malicious traffic specially targeted at a WordPress site.

    There are many instances where a server that has not been protected or optimized could experience issues or errors after receiving a small amount of malicious traffic. These attacks result in exhaustion of system resources causing services like MySQL to be unresponsive. The most common visual cue of this would be an Error connecting to database message. The web console may also display Out of Memory errors.

    This guide will show you how to protect WordPress from XML-RPC attacks on an Ubuntu 14.04 system.

     

    Prerequisites

    For this guide, you need the following:

    • Ubuntu 14.04 Instance
    • A non-root user with sudo privileges

    All the commands in this tutorial should be run as a non-root user.

     

    What is XML-RPC?

    WordPress utilizes XML-RPC to remotely execute functions. The popular plugin JetPack and the WordPress mobile application are two great examples of how WordPress uses XML-RPC. This same functionality also can be exploited to send thousands of requests to WordPress in a short amount of time. This scenario is effectively a brute force attack.

     

    Recognizing an XML-RPC Attack

    The two main ways to recognize an XML-RPC attack are as follows:

    1) Seeing the “Error connecting to database” message when your WordPress site is down
    2) Finding many entries similar to "POST /xmlrpc.php HTTP/1.0” in your web server logs

    The location of your web server log files depends on what Linux distribution you are running and what web server you are running.

    For Apache on Ubuntu 14.04, use this command to search for XML-RPC attacks:

    • grep xmlrpc /var/log/apache2/access.log

    For Nginx on Ubuntu 14.04, use this command to search for XML-RPC attacks:

    • grep xmlrpc /var/log/nginx/access.log

    Your WordPress site is receiving XML-RPC attacks if the commands above result in many lines of output, similar to this example:

    access.log
    111.222.333.444:80 555.666.777.888 - - [01/Jan/2016:16:33:50 -0500] "POST /xmlrpc.php HTTP/1.0" 200 674 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    

    The rest of this article focuses on three different methods for preventing further XML-RPC attacks.

     

     Manually Blocking All XML-RPC Traffic

    Alternatively, the XML-RPC block can manually be applied to your Apache or Nginx configuration.

    For Apache on Ubuntu 14.04, edit the configuration file with the following command:

    • sudo nano /etc/apache2/sites-available/000-default.conf

    Add the highlighted lines below between the <VirtualHost> tags.

    Apache VirtualHost Config
    <VirtualHost>
    …    
        <files xmlrpc.php>
          order allow,deny
          deny from all
        </files>
    </VirtualHost>
    

    Save and close this file when you are finished.

    Restart the web server to enable the changes:

    • sudo service apache2 restart

    For Nginx on Ubuntu 14.04, edit the configuration file with the following command (change the path to reflect your configuration file):

    • sudo nano /etc/nginx/sites-available/example.com

    Add the highlighted lines below within the server block:

    Nginx Server Block File
    server {
    …
     location /xmlrpc.php {
          deny all;
        }
    }
    

    Save and close this file when you are finished.

    Restart the web server to enable the changes:

    • sudo service nginx restart

    Warning: This method will stop anything that utilizes XML-RPC from functioning, including Jetpack or the WordPress mobile app.

     

    Verifying Attack Mitigation Steps

    Whatever method you chose to prevent attacks, you should verify that it is working.

    If you enable the Jetpack Protect function, you will see XML-RPC requests continue in your web server logs. The frequency should be lower and Jetpack will reduce the load an attack can place on the database server process. Jetpack will also progressively block the attacking IP addresses.

    If you manually block all XML-RPC traffic, your logs will still show attempts, but the resulting error code be something other than 200. For example entries in the Apache access.log file may look like:

    access.log
    111.222.333.444:80 555.666.777.888 - - [01/Jan/2016:16:33:50 -0500] "POST /xmlrpc.php HTTP/1.0" 500 674 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    
     

    Conclusion

    By taking steps to mitigate malicious XML-RPC traffic, your WordPress site will consume less system resources. Exhausting system resources is the most common reason why a WordPress site would go offline on a VPS. The methods of preventing XML-RPC attacks mentioned in this article along with will ensure your WordPress site stays online.

    Was this article helpful?
    0 out of 0 found this helpful

    Comments

    Powered by Zendesk