WordPress and XML RPC attack

Yesterday I checked my blog and got “Request timed out”. As you can guess from the title I become a victim of XML RPC exploit. There a lot of info on Internet describing what XML RPC exploit is and how to defend your blog. I will describe how I fought that attack myself. Well, with the help from mighty Google search 🙂

So when I logged  into my AWS instance the first symptom was high CPU load from httpd. Which is not very surprising for t2.micro instance type 🙂 Then I checked /var/log/httpd/access_log and found tons of events like this:

191.96.249.80 - - [14/Oct/2016:20:03:56 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

The first mitigation is to disable access to /xmlrpc.php in .htaccess:

Redirect 301 /xmlrpc.php http://127.0.0.1

That reflects the attacker and unloads your server so you can log in to WordPress admin console. The next thing is to shield your WordPress from similar attacks.

For that I installed WP Fail2Ban Redux plugin which logs all malicious events (including xmlrpc) to system log so they can be analyzed by Fail2ban service. Then I installed actual fail2ban service using yum and copied configurations from plugin’s folder. Note that you have to specify correct path to system log file plus default configuration does not actually ban (in Amazon Linux at least). Here is my local.jail for WordPress:

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 2
action = iptables-multiport[name=WordPress, port="http,https", blocktype=DROP]

[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
maxretry = 5
action = hostsdeny

Basically these rules will block furious attacker using firewall (by dropping tcp packets). The wordpress-soft rule is about password attack and it just adds host to the hosts.deny for 10 minutes (default ban time). After that you can remove redirect rule from .htaccess if you need xmlrpc feature. I will keep it disabled…

9 thoughts on “WordPress and XML RPC attack”

  1. You acttually make it seem so easy with youur presentation but I find this matter to be actually something
    that I think I would never understand. It seems too complicatted and vry broad for me.
    I am looking forward for your next post, I’ll try too get the hang of it!

    skripsi manajemen ekonomi

  2. Superb site you have here but I was curious if you knew of any
    community forums that cover the same topics discussed here?

    I’d really love to be a part of online community where I can get feedback from other
    experienced individuals that share the same interest.
    If you have any recommendations, please let me know.
    Thanks!

  3. I have noticed you don’t monetize your site, don’t waste your traffic, you can earn additional bucks every month because you’ve
    got high quality content. If you want to know how to make extra bucks, search for:
    Mertiso’s tips best adsense alternative

  4. I’ve been browsing online more than 2 hours today,
    yet I never found any interesting article like yours.
    It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the internet will be much more
    useful than ever before.

  5. Pingback: Google

Leave a Reply

Your email address will not be published. Required fields are marked *