WordPress utilizes XML-RPC to remotely execute functions for example JetPack, WordPress mobile application etc. But XMLRPC Attack made web server jam. In HTTP access log, we saw a lot of requests like this:
61.135.232.103 - - [11/Sep/2020:10:27:20 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 91.132.142.57 - - [11/Sep/2020:10:39:03 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 5.33.187.36 - - [11/Sep/2020:10:43:28 -0500] "POST /xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
You will also get “Error connecting to database” message when your WordPress site is down.
Solutions
We can secure server from XMLRPC attacks in several ways
- We can add a HTTP directive to httpd.conf or .htaccess for denying all requests on /xmlrpc.php.
<files xmlrpc.php> Order allow,deny Deny from all </files>
If don’t have httpd.conf or .htaccess, we can simply rename the filename.
- Where is httpd.conf?
/etc/httpd/conf/httpd.conf
- DirectAdmin: File Editor
- Webmin: Others > File Manager
- Where is httpd.conf?
- Installing the Jetpack Plugin can block the XML-RPC requests with its “Protect” function.
