WordPress xmlrpc.php attack

Recently, one of my WordPress website has been attacked by thousands of request to the xmlrpc.php file. The attacks came from multiple ip address. Here is my apache access log(/var/apache2/access.log):

62.141.35.242 - - [15/May/2016:21:05:38 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:44 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:35 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:41 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:37 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:43 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

These attacks come and go, and they had took down my site several times over the last few months. I did some google and found out that this kind of attack has been around for a while. It attempts to use the xmlrpc.php file to brute force WordPress logins.

Solution

Block IPs with ufw

Most ubuntu server has ufw installed, it can be used to block specific ip address from accessing the server.

I run the following command(reference) to get a list of attacker’s ip addresses:

$ grep xmlrpc /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head

// results
6039 62.141.35.242
1566 154.16.63.40
1411 188.120.41.8
 248 195.2.252.132

Those numbers in front of IPs are the number of times each ip requested the xmlrpc.php file.

Then for each of the IP address, I used the following command to block them using ufw:

sudo ufw deny from 62.141.35.242 // replace with your attacker's ip address

I then ran the list attacker command a few more times after I blocked all IPs. Unfortunately, the access count is still increasing. There seems to be a problem with iptables on Ubuntu, but I couldn’t find a solution. So I tried another method to deal with these attacks.

Modifying Apache Virtual Host Config

Which is adding the following:

<VirtualHost>
…    
    <files xmlrpc.php>
      order allow,deny
      deny from all
    </files>
</VirtualHost>

to your WordPress apache virtual host config file.
My config file is the standard

/etc/apache2/sites-available/000-default.conf

Modifying this file will not block the attacker’s request, but reduce the amount of resources the request consumes on your server.

After I reload the apache with

sudo services apache2 restart

I was able to access my WordPress website again.

2 Comments

Add yours →

  1. I was more than happy to discover this great site.
    I want to to thank you for ones time for this particularly fantastic read!!
    I definitely really liked every little bit of it and i also have
    you saved to fav to look at new stuff in your website.

  2. We ve added a token-based authentication mechanism to the REST API in order for the site to be able to receive authenticated requests from WordPress.

Leave a Reply