Our site is a standard WordPress install. It has recently been subjected to a Denial of Service (probably distributed) which makes many many calls to xmlrpc.php using HTTP POST. This simply overwhelms the server.
We found this out by looking at the access log. You will see lines like this:
igbreviews.com:80 18.104.22.168 – – [08/Aug/2016:08:03:04 +0000] “POST /xmlrpc.php HTTP/1.1” 200 790 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
This is not actually the Googlebot, but a rather nefarious attacker. You can tell this by running
If this returns a Google domain you are fine, if not you are being attacked.
We first started by adding each malicious IP address to apache’s .htaccess file (found in our site root). This worked well, but the attackers kept changing IP address.
Instead we’ve blocked all access to xmlrpc.php and only allow our specific IP addresses access this with the following code:
deny from all
allow from 22.214.171.124