Firstly how do you find out that you are a victim of xmlrpc.php attack? Or in another words how do you find out if it’s really an xmlrpc.php attack?
The most visible affect of this attack is that your server will slow down or it will come to complete standstill. If you are using a shared hosting such as GoDaddy, 1&1 etc then they will either intimate you that you have ran out of resources or they will simply block your account.
Even a dedicated server will slow down drastically.
How to find out if your server is under xmlrpc.php attack?
Login to your server via SSH, and run following command
ps -ef | grep xmlrpc.php
If it shows a number of processes then you are under xmlrpc.php attack.
How to stop xmlrpc.php attack?
Well you can’t stop it totally. All you can do is to block it on your server. In order to block this attack simply copy the following code and paste it in .htaccess file at the top above any other directive.
deny from all
That’s it, say goodbye to suckers!
Block IP address in firewall
If you have firewall installed then check the apache access_log, search for xmlrpc.php instances, extract the IP addresses and add them in the block list in firewall. This will only avoid the problem temporarily as attackers will use another IP.
What are other methods to block this attack and do they really work?
You might find various other solutions for this kind of attack but they either don’t work or they are not really a solution to this particular problem.
Deleting xmlrpc.php file doesn’t work
Some people suggest that you should delete the xmlrpc.php. This doesn’t solve the problem but it simple passes the bucks to index.php. WordPress returns index.php if xmlrpc.php file is not found. So instead of seeing xmlrpc.php file in the process you will see loads of index.php.
Changing xmlrpc.php file permission to 644 doesn’t work either
You might find another suggestion to change the xmlrpc.php file to 644 which again doesn’t work. So don’t waste your time.
One other solution is disabling pingback. This is not the correction solution for this particular problem. Blocking the pingback is solution for a problem when your WordPress site has been compromised to send out pingbacks to other WordPress sites.
The problem which I’ve discussed above arises when attackers overload your server by accessing WordPress site’s xmlrpc.php file.
Updated on 25 August 2015
Just spotted one similar attack in domain log. My server slowed down. I checked process list from ps command but couldn’t find any xmlrpc.php access details. Then I checked the domain which is under attack from top command.
Lastly I checked the domain log and viola there it was.
220.127.116.11 – – [25/Aug/2015:17:34:52 +0100] “POST /xmlrpc.php HTTP/1.0” 404 28113 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)”
Domain log can be found in /home/apache/domlogs/<account name>
To stop such attack just block IP address in server’s firewall.
brilliant! worked like a charm.
Why disabling pingback will not solve this problem? After all xmlrpc is used for pingback innit?
For the record, I have that very same IP on my logs now. Same issue, trying to exploit xmlrpc.php.
These IPs belong to well known spammers. Just Google for it and you will more details.
High CPU load remain because with this code, the 404 wp error page will be call and the database connection to. To avoid this you have to redirect to another IP like :
RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]