1. What is XML-RPC?
WordPress uses XML-RPC to allow users to perform many operations on their blog/website remotely. It allows you to access your website through WordPress-specific mobile apps.
2. How to know if your WordPress website is under attack?
The simplest way to know if your website is being attacked in this form is to open the access_log file to see. If you see a large amount of traffic like the one below, your website is being hacked through XML-RPC.
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:49 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6”
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:50 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6”
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:50 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6”
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:51 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6”
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:51 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6”
xxx.xxx.xxx.xxx – – [15/Sep/2016:12:54:52 +0700] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8
3. XML-RPC attack methods
3.1. Brute-force Attack
All XML-RPC requests are authenticated so you can securely edit web pages. Attackers exploit this to try to create countless username and password combinations until they get into your site.
3.2. DDoS
A single attacker can use thousands of WordPress sites to launch a DDoS attack on your site with a simple pingback request to the XML-RPC file. Almost endless requests will overload web servers and cause your website to experience downtime or even lead to a server crash.
4. Disable XML-RPC
4.1. Disable Xmlrpc.php with Plugins “Disable XML-RPC”
However, there may be many other plugins that are using an element of XML-RPC, so disabling it completely could cause plugin conflicts and cause the site to not work.
You can use some other plugins:
Stop XML-RPC Attack: This plugin will block all XML-RPC attacks, but it still allows plugins like Jetpack, and many other automated tools to access the xmlrpc.php file.
Control XML-RPC Publishing: This plugin allows to control and use remote publishing tool using xmlrpc.php.
4.2. Manual way
- Block xmlrpc.php on .htaccess
If you use Shared Host or servers with Apache installed, insert the following into the .htaccess file in the root directory of the website.
<files xmlrpc.php>
order allow,deny
deny from all
</files>
Returning 403 error when accessing file:
Code:
# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>
Or Redirect to another page:
Code:
# protect xmlrpc
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>
- Block xmlrpc.php on NGINX
If you are using NGINX as a backend (used with PHP-FPM), then add the following line to the domain configuration file on NGINX.
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
*Then restart NGINX.
- Use code snippets
Insert the following code into the functions.php file of the theme or child theme you are using and save it.
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
