How to block/prevent xmlrpc.php attack?

How to block/prevent xmlrpc.php attack?

Server Load

The brute-force attacks against WordPress have always been very common. In fact, the brute force against any CMS these days is a common occurrence, what is always interesting however are the tools employed to make it happen.

In CPanel servers that have WordPress websites, sometimes reported with “xmlrpc.php” which shows that high CPU usages. xmlrpc.php is a file in WordPress sites used for remote monitoring ping back and publication. Botnets are pointing to this file to launch brute force to take control of the target site. This causes a high load on the server.

How to decrease server load?

When server is under high load for xmlrpc attack, our first priority is recovering server from high load. For this, we need to prevent access to xmlrpc.php at the Apache connection level. We can do this by adding the below directive to Apache configuration file, and restarting the server.

How to block xmlrpc.php attack?
Disable access to xmlrpc.php is only a temporary solution that many websites would have to trace the blog ping remote back or have it published. So the solution is to block attacks based on common attack signatures.

A valid request will have a referrer field, while the attacks wont usually have a referrer field. So, a firewall rule can be used to block such requests. Mod_security can come in very handy for this. Add the following to the mod_security rule set.

#Block requests to xmlrpc.php with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"

3 thoughts on “How to block/prevent xmlrpc.php attack?

  1. I want to redirect the traffic to blank domain because it is hitting my server resources, i got a lot of 404

    Could you please tell, or at least how to block those ip in firewall level automatically.

    Firewall is Configserver, please reply back

Leave a Comment