Tag: server

WordPress xmlrpc.php attack

Recently, one of my WordPress website has been attacked by thousands of request to the xmlrpc.php file. The attacks came from multiple ip address. Here is my apache access log(/var/apache2/access.log): - - [15/May/2016:21:05:38 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:44 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:35 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:41 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:37 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:43 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

These attacks come and go, and they had took down my site several times over the last few months. I did some google and found out that this kind of attack has been around for a while. It attempts to use the xmlrpc.php file to brute force WordPress logins.


Block IPs with ufw

Most ubuntu server has ufw installed, it can be used to block specific ip address from accessing the server.

I run the following command(reference) to get a list of attacker’s ip addresses:

$ grep xmlrpc /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head

// results

Those numbers in front of IPs are the number of times each ip requested the xmlrpc.php file.

Then for each of the IP address, I used the following command to block them using ufw:

sudo ufw deny from // replace with your attacker's ip address

I then ran the list attacker command a few more times after I blocked all IPs. Unfortunately, the access count is still increasing. There seems to be a problem with iptables on Ubuntu, but I couldn’t find a solution. So I tried another method to deal with these attacks.

Modifying Apache Virtual Host Config

Which is adding the following:

    <files xmlrpc.php>
      order allow,deny
      deny from all

to your WordPress apache virtual host config file.
My config file is the standard


Modifying this file will not block the attacker’s request, but reduce the amount of resources the request consumes on your server.

After I reload the apache with

sudo services apache2 restart

I was able to access my WordPress website again.

Installing HHVM on Ubuntu for Laraval

Recently I have been working on a project on Laravel 4.

As the web application in this project have reached a stable state, I decided to give Facebook’s HipHop VM (HHVM) as try. I have read that it gives a great performance boost to PHP applications, and it supports Laravel 100%.

After all it did turn out nicely, the response time of my application is about 50% shorter than before, and the process of setting it up is not that difficult either. So here is a note about what I did to have Laravel run faster using HHVM on a Ubuntu 14.04 server running Apache.

1. Install the softwares

HHVM requires VirtualBox and Vagrant to run. It’s very simple to install these two software on a Ubuntu 14.04, just use the following commands:

Make sure we have the most updated list of softwares:

$sudo apt-get update

Install Virtualbox:

$sudo apt-get install virtualbox

Install Vagrant:

$sudo apt-get install vagrant

I will assume you already have Apache on your system.

Now that we have the prerequisites, we can install the HHVM:

$ wget -O - http://dl.hhvm.com/conf/hhvm.gpg.key | sudo apt-key add -
$ echo deb http://dl.hhvm.com/ubuntu trusty main | sudo tee /etc/apt/sources.list.d/hhvm.list
$ sudo apt-get update
$ sudo apt-get install hhvm

At the end of HHVM installation, HHVM is nice enough to tell us what to do:

* HHVM is installed.
* Running PHP web scripts with HHVM is done by having your webserver talk to HHVM
* over FastCGI. Install nginx or Apache, and then:
* $ sudo /usr/share/hhvm/install_fastcgi.sh
* $ sudo /etc/init.d/hhvm restart
* (if using nginx) $ sudo /etc/init.d/nginx restart
* (if using apache) $ sudo /etc/init.d/apache restart
* Detailed FastCGI directions are online at:
* https://github.com/facebook/FastCGI
* If you're using HHVM to run web scripts, you probably want it to start at boot:
* $ sudo update-rc.d hhvm defaults
* Running command-line scripts with HHVM requires no special setup:
* $ hhvm whatever.php
* You can use HHVM for /usr/bin/php even if you have php-cli installed:
* $ sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60

2. Set up HHVM

Now let’s run the commands as we are told.

Let’s install the FastCGI, this is how our webserver talk to HHVM:

$ sudo /usr/share/hhvm/install_fastcgi.sh

And restart HHVM:

$ sudo /etc/init.d/hhvm restart

We will need to restart Apache as well:

$ sudo /etc/init.d/apache restart

If you want to, like I do, you can set hhvm to start at boot:

$ sudo update-rc.d hhvm defaults


Now use your browser and go to your laravel application see if HHVM doing its job.

Trouble Shooting

You can check wether the application is running on HHVM by using the following php code.

if (defined('HHVM_VERSION')) {
// your application is running on hhvm
} else {
// no hhvm

404 Not Found???

If after you installed HHVM, your application suddenly shows 404 Not Found like I did. Don’t panic like I did. Add the following code at the end of /etc/hhvm/server.ini file:


Hopfully this will fix the 404. It’s a problem related to a modified Apache configuration file.