WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Viewing 15 posts - 1 through 15 (of 50 total)
  • Author
    Posts
  • #13859
    AITpro Admin
    Keymaster

    WordPress uses the Incutio XML-RPC Library, which is totally awesome and amazing and it is a shame that hackers try to exploit this.  This is not a new issue with the xmlrpc.php file and the WordPress XML-RPC Server/Library and has been known for quite a while now.  Recently there have been several reported DDoS Attacks/Exploits that are exploiting the WordPress XML-RPC Server/Protocol/xmlrpc.php file.  For anyone who uses the WordPress XML-RPC server features/capabilities on their website, there is a risk of DDoS exploitation.  How high that risk is I do not have a definite “odds or percentage” number, but the reality is that the possibility of DDoS exploitation does exist.

    The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code below does completely turn off/disable IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection.  Using this code below will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code as shown in the example below.  If you have added/whitelisted your IP address (or multiple IP addresses) in the XML-RPC DDoS PROTECTION Bonus Custom Code below then you can still remote post to your website.

    Highly Recommended: Use the Double Bonus Trackback Spam Protection Code

    IMPORTANT NOTE for Jetpack Plugin Users:

    If you have the Jetpack plugin installed then use the recommended Jetpack htaccess code for your website.

    Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.

    Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits

    Checking to ensure that the WordPress XML-RPC DDoS Protection .htaccess code is working on your website

    BPS:  Enter/type in the URL to your xmlrpc.php file on your website.  Example:  example.com/xmlrpc.php.  You should see a 403 Forbidden error, which means your xmlrpc.php file is protected.

    BPS Pro:  Either use the method above for BPS or use the BPS Pro Pro-Tool:  XML-RPC Exploit Checker to check your local website or check your other websites remotely.  The XML-RPC Exploit Checker Pro-Tool uses the IXR XML-RPC Client script to connect to the WordPress IXR Server & also displays Headers for extra confirmation that the xmlrpc.php file is protected.

    XML-RPC DDoS PROTECTION Bonus Code

    1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    2. Click the Save Root Custom Code button.
    3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
    3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    #Allow from x.x.x.
    Deny from all
    </FilesMatch>

    Recommended Code for Jetpack Plugin Users

    # Jetpack XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]

    NOT Recommended for Jetpack Plugin Users: The reason this code below is not recommended if you have the Jetpack plugin installed is that the Jetpack/Automattic IP addresses may change in the future.

    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    #Allow from x.x.x.
    # Whitelist Jetpack/Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Deny from all
    </FilesMatch>

    Notes/Examples:  Your BPS Security Log will log anything that is being blocked and you can create a whitelist rule based on either the IP address or Host Name that is being blocked to whitelist that IP address or Host Name.

    If you want to whitelist your IP Address to allow ONLY your IP address to be able to access and connect to/with the xmlrpc.php file and WordPress IXR Server then uncomment the #Allow from x.x.x. line of .htaccess code by removing the # sign in front of “Allow from x.x.x.” and add your actual IP address by replacing the x’s with your actual IP address (your public/ISP IP address is displayed on the BPS System Info page).

    Example using IP address 99.88.77.66 (it is recommended that you use 3 octets (x.x.x.) of your IP address instead of 4 octets (x.x.x.x) of your IP address:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Allow from 99.88.77.
    Deny from all
    </FilesMatch>

    You can also whitelist Host Names instead of or in addition to IP addresses:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Allow from 99.88.77.
    Allow from example.com
    Allow from wordpress.com
    Deny from all
    </FilesMatch>

    Double Bonus:  Block/Protect the wp-trackback.php file to prevent trackbacks or pingbacks (spambacks) from being possible

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    WordPress has settings that allow you to turn off trackbacks and pingbacks, but unchecking these WordPress Discussion Settings:  “Allow link notifications from other blogs (pingbacks and trackbacks)” and “Attempt to notify any blogs linked to from the article” does not completely turn off/disable pingback/trackback capabilties on a website.  Trackback and Pingback Spammers can still expoit the wp-trackback.php file even if you have turned off/disabled these options.

    Using this code below means that you will not be able to get pingbacks and trackbacks from other websites on your website.  Personally we have not had good results with allowing trackbacks and pingbacks on our sites.  When we were allowing trackbacks/pingbacks 9 out of 10 pingbacks/trackbacks were spam.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    #Allow from x.x.x.
    Deny from all
    </FilesMatch>

    Recommended Code for Jetpack Plugin Users

    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]

    NOT Recommended for Jetpack Plugin Users: The reason this code below is not recommended if you have the Jetpack plugin installed is that the Jetpack/Automattic IP addresses may change in the future.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    #Allow from x.x.x.
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Deny from all
    </FilesMatch>

    Additionally you can add a redirect for anyone trying to use the /trackback/ URI/URL directly: RedirectMatch 301 ^/trackback/$ https://www.google.com/
    Note: If you have a GWIOD (Giving WordPress Its Own Directory) website then the redirect code needs to go in the site root .htaccess file.

    #14890
    Hal9000
    Participant

    Hi Admin, I have a question for the xml-RPC DDos Protection.
    Just for understanding.

    Quote: “XML-RPC DDoS PROTECTION
    You can whitelist your IP address if you use A Blog Client
    or want to whitelist your IP address for any other Reasons. ”

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny, Allow
    Deny from all
    # Allow from x.x.x.
    </ FilesMatch>

    I wear contain the IP of the server on which the page is hosted?
    Because my own IP (which I’ll go to the server with the ‘every 24 hours (change in Germany there is a forced separation of the line after 24 hours)
    The will assign the IP again.

    Would I enter the server IP I might not get to the server?
    I believe I am standing on the tube. (German saying)

    Thanks for the help.
    Best regards
    Mario.

    #14892
    AITpro Admin
    Keymaster

    You can whitelist 1, 2, 3 or 4 octets of your IP address.  If the first octet of your IP address is always the same then whitelist 1 octet.  If 2 octets of your IP address are always the same whitelist 2 octets, etc.

    # whitelist 1 octet of your IP address
    Allow from 99.
    
    # whitelist 2 octets of your IP address
    Allow from 99.88.
    
    # whitelist 3 octets of your IP address
    Allow from 99.88.77.
    #15845
    Jim Williamson
    Participant

    Okay, I have these two segments added:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from (first 3 octets of my office exit IP in format xx.xx.xx.)
    </FilesMatch>
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from 63.76.5.
    </FilesMatch>

    That corresponds to my office external IP, Yet I am still getting this int he log files

    [403 GET / HEAD Request: 25 June, 2014 - 10:21]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: (office exit IP)
    Host Name: (office exit IP)
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp/xmlrpc.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; Windows Live Writer 1.0)

    I’ve tried it with the full IP, tried it with just the first two octets, activated BulletProof Mode and applied it each time. It’s becoming a bit of a pita, about ready to just remove it and move on.

    Any suggestion before I do?

    #15847
    AITpro Admin
    Keymaster

    You only need 1 block of code and whitelist the IP and or hostname in that 1 block of code.  By using 2 blocks of code you are actually cancelling out/negating the whitelist you did in the other block of code.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>
    #15848
    Jim Williamson
    Participant

    gah, okay, I thought one was for publisher, one was for trackbacks…
    I’ll ditch the first one then.

    thanks

    EDIT: That did it, thanks

    #15853
    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that did the trick!

    Yep, the post is not 100% clear about what to do so I added a note to the original topic above.  😉

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    #16142
    Paulin Halenria
    Participant

    Hello

    I tried to allow wordpress.com domain for Jetpack but it doesn’t seem to work as expected.

    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    Allow from wordpress.com
    </FilesMatch>
    

    But in the logs, I still have this

    [403 GET / HEAD Request: 9 juillet 2014 - 19 h 53 min]
     Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
     Solution: N/A - Hacker/Spammer Blocked/Forbidden
     REMOTE_ADDR: 66.155.9.148
     Host Name: wordpress.com
     SERVER_PROTOCOL: HTTP/1.0
     HTTP_CLIENT_IP:
     HTTP_FORWARDED:
     HTTP_X_FORWARDED_FOR:
     HTTP_X_CLUSTER_CLIENT_IP:
     REQUEST_METHOD: GET
     HTTP_REFERER:
     REQUEST_URI: /xmlrpc.php?for=jetpack
     QUERY_STRING:
     HTTP_USER_AGENT: The Incutio XML-RPC PHP Library

    And Jetpack see the website offline

    i.imgur.com/BpVlF7w.png

    Should I Allow the IP address 66.155.9.148 directly ? The reverse of this ip points to wordpress.com but the domain wordpress.com doesn’t point to this IP address.

    Thanks
    Cedric

    #16144
    AITpro Admin
    Keymaster

    Make sure that you are doing all of the Custom Code steps.  Save the Custom Code, create a new master .htaccess file and activate the htaccess file.  If that is not the problem then…

    What is probably the cause of the block is that Server Protocol HTTP/1.0 is being used and you are using the Server Protocol HTTP/1.0 spambot/hackerbot Bonus Custom Code and blocking Server Protocol HTTP/1.0 sitewide instead of just using that code for ONLY your Login page.  If you are using the Bonus Custom Code in the link below then make sure that it is not being used sitewide.

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

    #17922
    Glasairmell
    Participant

    Hi,

    Added the two for one code to xxxx-land and I am still getting the HTTP Status Code: 503 Service Unavailable. The Incutio XML-RPC – IXR Client/Server Response checks out ok and I am seeing the bonus code in the .htaccess . On 5 other sites it is working perfectly. Any suggestions?
    Thank you!

    #17923
    AITpro Admin
    Keymaster

    I assume you are checking using the BPS Pro XML-RPC Exploit Checker Pro-Tool?  503 HTTP Status Response code typically means that a website is in Maintenance Mode.  Is the site in Maintenance Mode?

    #17950
    Glasairmell
    Participant

    Yes I am using the checker and no the site is not in maintenance mode.

    HTTP Status Code: 503 Service Unavailable
    
    Headers: Array
    (
        [date] => Thu, 18 Sep 2014 18:20:33 GMT
        [server] => Apache/2
        [x-powered-by] => PHP/5.3.28
        [set-cookie] => PHPSESSID=bdkmbhqkl7avi1vl2upb19k962; path=/
        [expires] => Sat, 26 Jul 1997 05:00:00 GMT
        [cache-control] => private, no-cache, no-store, proxy-revalidate, no-transform
        [pragma] => no-cache
        [vary] => Cookie,Accept-Encoding,User-Agent
        [status] => 503 Service Temporarily Unavailable
        [retry-after] => -435761
        [content-length] => 3257
        [connection] => close
        [content-type] => text/html; charset=UTF-8
    )
    #17952
    AITpro Admin
    Keymaster

    Ok I am not really sure why you are seeing a 503 Status Response, but I checked your site remotely using the BPS Pro Website Headers Pro-Tool and I am seeing a 200 OK Status Response so that is of course the most important thing – means everything is actually good/no actual problems with this website.  When I check your site remotely with BPS Pro XML-RPC Exploit Checker Pro-Tool I am seeing

    Yes, the WordPress xmlrpc.php file is protected and is NOT exploitable.

    and also a 404 Status Response and not a 503 Status Response, which would mean the xmlrpc.php file has been deleted on this website (see following check below).  One thing that seems a little odd is the URL is not the root URL of your site in the returned Headers and is instead the /german-shepards/ folder.  I assume this is some sort of redirect or some sort of folder structure issue.  In any case everything looks good/fine.

    HTTP Status Code: 200 OK
    
    Headers: Array
    (
    [date] => Thu, 18 Sep 2014 18:32:49 GMT
    [server] => Apache/2
    [x-powered-by] => PHP/5.3.28
    [vary] => Accept-Encoding,Cookie,User-Agent
    [cache-control] => max-age=3, must-revalidate
    [wp-super-cache] => Served supercache file from PHP
    [content-encoding] => gzip
    [content-length] => 9009
    [connection] => close
    [content-type] => text/html; charset=UTF-8
    )

    Remote check for website:  xxxx-land

    HTTP Status Code: 404 Not Found
    
    Headers: Array
    (
    [date] => Thu, 18 Sep 2014 18:36:33 GMT
    [server] => Apache/2
    [x-powered-by] => PHP/5.3.28
    [vary] => Accept-Encoding,Cookie,User-Agent
    [set-cookie] => wfvt_1508155421=541b26315d69d; expires=Thu, 18-Sep-2014 19:06:33 GMT; path=/; httponly
    [x-pingback] => http://xxxx-land.com/german-shepherds/xmlrpc.php
    [expires] => Wed, 11 Jan 1984 05:00:00 GMT
    [cache-control] => no-cache, must-revalidate, max-age=0
    [pragma] => no-cache
    [content-encoding] => gzip
    [content-length] => 6133
    [connection] => close
    [content-type] => text/html; charset=UTF-8
    )
    #17956
    Glasairmell
    Participant

    Ok will not worry about it then. Thank you.  Wordpress is installed in a sub directory on this site as you probably know. Not sure what is causing that.

    #17957
    AITpro Admin
    Keymaster

    Ok then that is actually normal and what is supposed to happen if you have a GWIOD WordPress installation – Giving WordPress Its Own Directory.  The only other things that I see that could be affecting the HTTP Status Response on your end would be Wordfence or WP Super Cache.  I believe Wordfence has some kind of XML-RPC protection thing, but have no idea what that is.

Viewing 15 posts - 1 through 15 (of 50 total)
  • You must be logged in to reply to this topic.