i How to protect wordpress from XML-RPC attack – All things in moderation

How to protect wordpress from XML-RPC attack


What is XML-RPC ?

According to Wikipedia XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.XML-RPC also refers generically to the use of XML for remote procedure call, independently of the specific protocol. In short, it has three main features in WordPress:
* Connecting to your site(s) with your smartphone
* Trackbacks and pingbacks when other sites refer to your site
* Jetpack( using it)

The security problem of XML-RPC with your site ?

  • Brute force attacks: Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”
  • Denial of Service Attacks via Pingback:Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet”. For more you can read previsous post of Cloudi xml-rpc-ddos . In short, attackers can do hundreds of login attempts within a single HTTP request.Imagine seeing it in your access log !

How to recoginze XML-RPC DDoS Attack ?

Finding many entries similar to "POST /xmlrpc.php HTTP/1.0” in your web server logs.
The location of your web server log files depends on what Linux distribution you are running and what web server you are running or your configuration:
For Nginx on Redhat/Ubunutu open server log file on directory and using command :

vim  /var/log/nginx/access.log | grep xmlrpc

For Apache on Redhat/Ubunutu open server log file on directory and using command :

vim  /var/log/apache2/access.log | grep xmlrpc

Your WordPress site is receiving XML-RPC DoDos attack if the commands above result in many lines of output, similar to this example: - - [12/Jan/2017:23:54:12 -0400] "POST /xmlrpc.php HTTP/1.1" 200 14204 "-" 
"Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1

How to prevent XML-RPC Attack ?

The best thing you can do !

The best thing you can do to protect yourseft is to turn off XML-RPC in your Settings altogether.

For Apache on Redhat/Ubunutu open file apache configuration vim /etc/apache2/apache2.conf and add the line below:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all

For Nginx on Redhat/Ubunutu open file nginx configuration vim /etc/nginx/nginx.conf and add the line below:

server {
 location /xmlrpc.php {
      deny all;

Why WordPress still using xmlrpc.php

An author has a security plugin wrote:
“To us, disabling XML-RPC comes with a cost. You are disabling a major API in WordPress. We briefly provided this capability, but removed the feature because WordPress’s own API abuse prevention has improved. Furthermore, providing the ability to disable XML-RPC caused confusion among users when their applications broke because they could not access the API.”
If you have become dependent on these tools dependent XML-RPC. And you don’t want to turn XML-RPC off.
Here are some plugins that can help:
* Strop XML-RPC Attack
* Jetpack: “he Jetpack plugin for WordPress can block the XML-RPC multicall method requests with its Protect function”

It’s time to say goodbye with XML-RPC

From Wordpres version 4.7 released , WordPress core developers are turning WordPress’s code into a REST application. you won’t have to use XML-RPC to use the mobile apps or Jetpack.
Instead, you’ll authenticate yourself in external apps through the OAuth protocol. You may not know what OAuth is, but if you’ve ever clicked a Twitter button on a post, you’ve used OAuth.



One Response

  1. Karman July 6, 2017

Leave a Reply to Karman Cancel reply