Block WordPress XMLRPC attack

Our site is a standard WordPress install.  It has recently been subjected to a Denial of Service (probably distributed) which makes many many calls to xmlrpc.php using HTTP POST.  This simply overwhelms the server.

We found this out by looking at the access log.  You will see lines like this:

    igbreviews.com:80 176.31.39.108 – – [08/Aug/2016:08:03:04 +0000] “POST /xmlrpc.php HTTP/1.1” 200 790 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”

This is not actually the Googlebot, but a rather nefarious attacker.  You can tell this by running

    host 176.31.39.108

If this returns a Google domain you are fine, if not you are being attacked.

We first started by adding each malicious IP address to apache’s .htaccess file (found in our site root).  This worked well, but the attackers kept changing IP address.

Instead we’ve blocked all access to xmlrpc.php and only allow our specific IP addresses access this with the following code:

    <Files xmlrpc.php>
        order deny,allow
        deny from all
        allow from 1.2.3.4
    </Files>




Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *