Recently, one of my WordPress website has been attacked by thousands of request to the xmlrpc.php
file. The attacks came from multiple ip address. Here is my apache access log(/var/apache2/access.log
):
62.141.35.242 - - [15/May/2016:21:05:38 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:44 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:35 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:41 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:37 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:43 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
These attacks come and go, and they had took down my site several times over the last few months. I did some google and found out that this kind of attack has been around for a while. It attempts to use the xmlrpc.php
file to brute force WordPress logins.
Solution
Block IPs with ufw
Most ubuntu server has ufw
installed, it can be used to block specific ip address from accessing the server.
I run the following command(reference) to get a list of attacker’s ip addresses:
$ grep xmlrpc /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head
// results
6039 62.141.35.242
1566 154.16.63.40
1411 188.120.41.8
248 195.2.252.132
Those numbers in front of IPs are the number of times each ip requested the xmlrpc.php
file.
Then for each of the IP address, I used the following command to block them using ufw:
sudo ufw deny from 62.141.35.242 // replace with your attacker's ip address
I then ran the list attacker command a few more times after I blocked all IPs. Unfortunately, the access count is still increasing. There seems to be a problem with iptables
on Ubuntu, but I couldn’t find a solution. So I tried another method to deal with these attacks.
Modifying Apache Virtual Host Config
Which is adding the following:
<VirtualHost>
…
<files xmlrpc.php>
order allow,deny
deny from all
</files>
</VirtualHost>
to your WordPress apache virtual host config file.
My config file is the standard
/etc/apache2/sites-available/000-default.conf
Modifying this file will not block the attacker’s request, but reduce the amount of resources the request consumes on your server.
After I reload the apache with
sudo services apache2 restart
I was able to access my WordPress website again.