WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

This topic contains 8 replies, has 4 voices, and was last updated by Avatar of AITpro Admin AITpro Admin 3 weeks ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #13859 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    WordPress uses the Incutio XML-RPC Library, which is totally awesome and amazing and it is a shame that hackers try to exploit this.  This is not a new issue with the xmlrpc.php file and the WordPress XML-RPC Server/Library and has been known for quite a while now.  Recently there have been several reported DDoS Attacks/Exploits that are exploiting the WordPress XML-RPC Server/Protocol/xmlrpc.php file.  For anyone who uses the WordPress XML-RPC server features/capabilities on their website, there is a risk of DDoS exploitation.  How high that risk is I do not have a definite “odds or percentage” number, but the reality is that the possibility of DDoS exploitation does exist.

    The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code below does completely turn off/disable IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection.  Using this code below will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code as shown in the example below.  If you have added/whitelisted your IP address (or multiple IP addresses) in the XML-RPC DDoS PROTECTION Bonus Custom Code below then you can still remote post to your website.

    Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.

    Checking to ensure that the WordPress XML-RPC DDoS Protection .htaccess code is working on your website

    BPS:  Enter/type in the URL to your xmlrpc.php file on your website.  Example:  example.com/xmlrpc.php.  You should see a 403 Forbidden error, which means your xmlrpc.php file is protected.

    BPS Pro:  Either use the method above for BPS or use the new BPS Pro Pro-Tool:  XML-RPC Exploit Checker to check your local website or check your other websites remotely.  The XML-RPC Exploit Checker Pro-Tool uses the IXR XML-RPC Client script to connect to the WordPress IXR Server & also displays Headers for extra confirmation that the xmlrpc.php file is protected.

    XML-RPC DDoS PROTECTION Bonus Code

    1.  Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE

    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>

    2. Click the Save Root Custom Code button.

    3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

    Notes/Examples:  Your BPS Security Log will log anything that is being blocked and you can create a whitelist rule based on either the IP address or Host Name that is being blocked to whitelist that IP address or Host Name.

    If you want to whitelist your IP Address to allow ONLY your IP address to be able to access and connect to/with the xmlrpc.php file and WordPress IXR Server then uncomment the #Allow from x.x.x. line of .htaccess code by removing the # sign in front of “Allow from x.x.x.” and add your actual IP address by replacing the x’s with your actual IP address (your public/ISP IP address is displayed on the BPS System Info page).

    Example using IP address 99.88.77.66 (it is recommended that you use 3 octets (x.x.x.) of your IP address instead of 4 octets (x.x.x.x) of your IP address:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from 99.88.77.
    </FilesMatch>

    You can also whitelist Host Names instead of or in addition to IP addresses:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from 99.88.77.
    Allow from example.com
    Allow from wordpress.com
    </FilesMatch>

    Double Bonus:  Block/Protect the wp-trackback.php file to prevent trackbacks or pingbacks (spambacks) from being possible

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    WordPress has settings that allow you to turn off trackbacks and pingbacks, but unchecking these WordPress Discussion Settings:  “Allow link notifications from other blogs (pingbacks and trackbacks)” and “Attempt to notify any blogs linked to from the article” does not completely turn off/disable pingback/trackback capabilties on a website.  Trackback and Pingback Spammers can still expoit the wp-trackback.php file even if you have turned off/disabled these options.

    Using this code below means that you will not be able to get pingbacks and trackbacks from other websites on your website.  Personally we have not had good results with allowing trackbacks and pingbacks on our sites.  When we were allowing trackbacks/pingbacks 9 out of 10 pingbacks/trackbacks were spam.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>
    #14890 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Hal9000
    Hal9000
    Participant

    Hi Admin, I have a question for the xml-RPC DDos Protection.
    Just for understanding.

    Quote: “XML-RPC DDoS PROTECTION
    You can whitelist your IP address if you use A Blog Client
    or want to whitelist your IP address for any other Reasons. ”

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny, Allow
    Deny from all
    # Allow from x.x.x.
    </ FilesMatch>

    I wear contain the IP of the server on which the page is hosted?
    Because my own IP (which I’ll go to the server with the ‘every 24 hours (change in Germany there is a forced separation of the line after 24 hours)
    The will assign the IP again.

    Would I enter the server IP I might not get to the server?
    I believe I am standing on the tube. (German saying)

    Thanks for the help.
    Best regards
    Mario.

    #14892 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    You can whitelist 1, 2, 3 or 4 octets of your IP address.  If the first octet of your IP address is always the same then whitelist 1 octet.  If 2 octets of your IP address are always the same whitelist 2 octets, etc.

    # whitelist 1 octet of your IP address
    Allow from 99.
    
    # whitelist 2 octets of your IP address
    Allow from 99.88.
    
    # whitelist 3 octets of your IP address
    Allow from 99.88.77.
    #15845 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Jim Williamson
    Jim Williamson
    Participant

    Okay, I have these two segments added:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from (first 3 octets of my office exit IP in format xx.xx.xx.)
    </FilesMatch>
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from 63.76.5.
    </FilesMatch>

    That corresponds to my office external IP, Yet I am still getting this int he log files

    [403 GET / HEAD Request: 25 June, 2014 - 10:21]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: (office exit IP)
    Host Name: (office exit IP)
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp/xmlrpc.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; Windows Live Writer 1.0)

    I’ve tried it with the full IP, tried it with just the first two octets, recreated secure.htaccess and applied it each time. It’s becoming a bit of a pita, about ready to just remove it and move on.

    Any suggestion before I do?

    #15847 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    You only need 1 block of code and whitelist the IP and or hostname in that 1 block of code.  By using 2 blocks of code you are actually cancelling out/negating the whitelist you did in the other block of code.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>
    #15848 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Jim Williamson
    Jim Williamson
    Participant

    gah, okay, I thought one was for publisher, one was for trackbacks…
    I’ll ditch the first one then.

    thanks

    EDIT: That did it, thanks

    #15853 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that did the trick!

    Yep, the post is not 100% clear about what to do so I added a note to the original topic above.  ;)

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    #16142 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Paulin Halenria
    Paulin Halenria
    Participant

    Hello

    I tried to allow wordpress.com domain for Jetpack but it doesn’t seem to work as expected.

    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    Allow from wordpress.com
    </FilesMatch>
    

    But in the logs, I still have this

    [403 GET / HEAD Request: 9 juillet 2014 - 19 h 53 min]
     Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
     Solution: N/A - Hacker/Spammer Blocked/Forbidden
     REMOTE_ADDR: 66.155.9.148
     Host Name: wordpress.com
     SERVER_PROTOCOL: HTTP/1.0
     HTTP_CLIENT_IP:
     HTTP_FORWARDED:
     HTTP_X_FORWARDED_FOR:
     HTTP_X_CLUSTER_CLIENT_IP:
     REQUEST_METHOD: GET
     HTTP_REFERER:
     REQUEST_URI: /xmlrpc.php?for=jetpack
     QUERY_STRING:
     HTTP_USER_AGENT: The Incutio XML-RPC PHP Library

    And Jetpack see the website offline

    i.imgur.com/BpVlF7w.png

    Should I Allow the IP address 66.155.9.148 directly ? The reverse of this ip points to wordpress.com but the domain wordpress.com doesn’t point to this IP address.

    Thanks
    Cedric

    #16144 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    Make sure that you are doing all of the Custom Code steps.  Save the Custom Code, create a new master .htaccess file and activate the htaccess file.  If that is not the problem then…

    What is probably the cause of the block is that Server Protocol HTTP/1.0 is being used and you are using the Server Protocol HTTP/1.0 spambot/hackerbot Bonus Custom Code and blocking Server Protocol HTTP/1.0 sitewide instead of just using that code for ONLY your Login page.  If you are using the Bonus Custom Code in the link below then make sure that it is not being used sitewide.

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.