WordPress: How to Stop xmlrpc.php Attack [SOLVED]

by Ajay Singh, Aug 22, 2015 5 Comments
VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

WordPress-xmlrpc.php attack solutionFirstly how do you find out that you are a victim of xmlrpc.php attack? Or in another words how do you find out if it’s really an xmlrpc.php attack?

The most visible affect of this attack is that your server will slow down or it will come to complete standstill. If you are using a shared hosting such as GoDaddy,  1&1 etc then they will either intimate you that you have ran out of resources or they will simply block your account.

Even a dedicated server will slow down drastically.

How to find out if your server is under xmlrpc.php attack?

Login to your server via SSH, and run following command

ps -ef | grep xmlrpc.php 

If it shows a number of processes then you are under xmlrpc.php attack.

 

How to stop xmlrpc.php attack?

Well you can’t stop it totally. All you can do is to block it on your server. In order to block this attack simply copy the following code and paste it in .htaccess file at the top above any other directive.

<Files “xmlrpc.php”>
Order Allow,Deny
deny from all
</Files>

That’s it, say goodbye to suckers!

Block IP address in firewall

If you have firewall installed then check the apache access_log, search for xmlrpc.php instances, extract the IP addresses and add them in the block list in firewall. This will only avoid the problem temporarily as attackers will use another IP.

What are other methods to block this attack and do they really work?

You might find various other solutions for this kind of attack but they either don’t work or they are not really a solution to this particular problem.

Deleting xmlrpc.php file doesn’t work

Some people suggest that you should delete the xmlrpc.php. This doesn’t solve the problem but it simple passes the bucks to index.php. WordPress returns index.php if xmlrpc.php file is not found. So instead of seeing xmlrpc.php file in the process you will see loads of index.php.

Changing xmlrpc.php file permission to 644 doesn’t work either

You might find another suggestion to change the xmlrpc.php file to 644 which again doesn’t work. So don’t waste your time.

Disable pingback

One other solution is disabling pingback. This is not the correction solution for this particular problem. Blocking the pingback is solution for a problem when your WordPress site has been compromised to send out pingbacks to other WordPress sites.

The problem which I’ve discussed above arises when attackers overload your server by accessing WordPress site’s xmlrpc.php file.

Updated on 25 August 2015

Just spotted one similar attack in domain log. My server slowed down. I checked process list from ps command but couldn’t find any xmlrpc.php access details. Then I checked the domain which is under attack from top command.

Lastly I checked the domain log and viola there it was.

89.248.168.64 – – [25/Aug/2015:17:34:52 +0100] “POST /xmlrpc.php HTTP/1.0” 404 28113 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”

Domain log can be found in /home/apache/domlogs/<account name>

To stop such attack just block IP address in server’s firewall.

Comments

5 Responses to “ WordPress: How to Stop xmlrpc.php Attack [SOLVED] ”
  1. Jimmy

    brilliant! worked like a charm.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. Ash

    Why disabling pingback will not solve this problem? After all xmlrpc is used for pingback innit?

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  3. jmp

    For the record, I have that very same IP on my logs now. Same issue, trying to exploit xmlrpc.php.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • Ajay Singh

      These IPs belong to well known spammers. Just Google for it and you will more details.

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
  4. Zack

    High CPU load remain because with this code, the 404 wp error page will be call and the database connection to. To avoid this you have to redirect to another IP like :

    RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

Leave a Reply