WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

This topic contains 17 replies, has 5 voices, and was last updated by  AITpro Admin 1 day, 8 hours ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #13859 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    WordPress uses the Incutio XML-RPC Library, which is totally awesome and amazing and it is a shame that hackers try to exploit this.  This is not a new issue with the xmlrpc.php file and the WordPress XML-RPC Server/Library and has been known for quite a while now.  Recently there have been several reported DDoS Attacks/Exploits that are exploiting the WordPress XML-RPC Server/Protocol/xmlrpc.php file.  For anyone who uses the WordPress XML-RPC server features/capabilities on their website, there is a risk of DDoS exploitation.  How high that risk is I do not have a definite “odds or percentage” number, but the reality is that the possibility of DDoS exploitation does exist.

    The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code below does completely turn off/disable IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection.  Using this code below will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code as shown in the example below.  If you have added/whitelisted your IP address (or multiple IP addresses) in the XML-RPC DDoS PROTECTION Bonus Custom Code below then you can still remote post to your website.

    Highly Recommended: Use the Double Bonus Trackback Spam Protection Code

    Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.

    Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits

    Checking to ensure that the WordPress XML-RPC DDoS Protection .htaccess code is working on your website

    BPS:  Enter/type in the URL to your xmlrpc.php file on your website.  Example:  example.com/xmlrpc.php.  You should see a 403 Forbidden error, which means your xmlrpc.php file is protected.

    BPS Pro:  Either use the method above for BPS or use the new BPS Pro Pro-Tool:  XML-RPC Exploit Checker to check your local website or check your other websites remotely.  The XML-RPC Exploit Checker Pro-Tool uses the IXR XML-RPC Client script to connect to the WordPress IXR Server & also displays Headers for extra confirmation that the xmlrpc.php file is protected.

    XML-RPC DDoS PROTECTION Bonus Code

    1.  Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE

    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Remove the # sign below to whitelist Jetpack/the Automattic CIDR
    #Allow from 192.0.64.0/18
    Deny from all
    </FilesMatch>

    2. Click the Save Root Custom Code button.

    3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

    Notes/Examples:  Your BPS Security Log will log anything that is being blocked and you can create a whitelist rule based on either the IP address or Host Name that is being blocked to whitelist that IP address or Host Name.

    If you want to whitelist your IP Address to allow ONLY your IP address to be able to access and connect to/with the xmlrpc.php file and WordPress IXR Server then uncomment the #Allow from x.x.x. line of .htaccess code by removing the # sign in front of “Allow from x.x.x.” and add your actual IP address by replacing the x’s with your actual IP address (your public/ISP IP address is displayed on the BPS System Info page).

    Example using IP address 99.88.77.66 (it is recommended that you use 3 octets (x.x.x.) of your IP address instead of 4 octets (x.x.x.x) of your IP address:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Remove the # sign below to whitelist Jetpack/the Automattic CIDR
    #Allow from 192.0.64.0/18
    Allow from 99.88.77.
    Deny from all
    </FilesMatch>

    You can also whitelist Host Names instead of or in addition to IP addresses:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Remove the # sign below to whitelist Jetpack/the Automattic CIDR
    #Allow from 192.0.64.0/18
    Allow from 99.88.77.
    Allow from example.com
    Allow from wordpress.com
    Deny from all
    </FilesMatch>

    Double Bonus:  Block/Protect the wp-trackback.php file to prevent trackbacks or pingbacks (spambacks) from being possible

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    WordPress has settings that allow you to turn off trackbacks and pingbacks, but unchecking these WordPress Discussion Settings:  “Allow link notifications from other blogs (pingbacks and trackbacks)” and “Attempt to notify any blogs linked to from the article” does not completely turn off/disable pingback/trackback capabilties on a website.  Trackback and Pingback Spammers can still expoit the wp-trackback.php file even if you have turned off/disabled these options.

    Using this code below means that you will not be able to get pingbacks and trackbacks from other websites on your website.  Personally we have not had good results with allowing trackbacks and pingbacks on our sites.  When we were allowing trackbacks/pingbacks 9 out of 10 pingbacks/trackbacks were spam.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    # Remove the # sign below to whitelist Jetpack/the Automattic CIDR
    #Allow from 192.0.64.0/18
    Deny from all
    </FilesMatch>
    • This topic was modified 3 weeks, 3 days ago by  AITpro Admin.
    • This topic was modified 3 weeks, 3 days ago by  AITpro Admin.
    • This topic was modified 3 weeks, 3 days ago by  AITpro Admin.
    • This topic was modified 2 weeks, 1 day ago by  AITpro Admin.
    • This topic was modified 3 days, 5 hours ago by  AITpro Admin.
    #14890 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Hal9000
    Participant

    Hi Admin, I have a question for the xml-RPC DDos Protection.
    Just for understanding.

    Quote: “XML-RPC DDoS PROTECTION
    You can whitelist your IP address if you use A Blog Client
    or want to whitelist your IP address for any other Reasons. ”

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny, Allow
    Deny from all
    # Allow from x.x.x.
    </ FilesMatch>

    I wear contain the IP of the server on which the page is hosted?
    Because my own IP (which I’ll go to the server with the ‘every 24 hours (change in Germany there is a forced separation of the line after 24 hours)
    The will assign the IP again.

    Would I enter the server IP I might not get to the server?
    I believe I am standing on the tube. (German saying)

    Thanks for the help.
    Best regards
    Mario.

    #14892 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    You can whitelist 1, 2, 3 or 4 octets of your IP address.  If the first octet of your IP address is always the same then whitelist 1 octet.  If 2 octets of your IP address are always the same whitelist 2 octets, etc.

    # whitelist 1 octet of your IP address
    Allow from 99.
    
    # whitelist 2 octets of your IP address
    Allow from 99.88.
    
    # whitelist 3 octets of your IP address
    Allow from 99.88.77.
    #15845 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jim Williamson
    Participant

    Okay, I have these two segments added:

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from (first 3 octets of my office exit IP in format xx.xx.xx.)
    </FilesMatch>
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from 63.76.5.
    </FilesMatch>

    That corresponds to my office external IP, Yet I am still getting this int he log files

    [403 GET / HEAD Request: 25 June, 2014 - 10:21]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: (office exit IP)
    Host Name: (office exit IP)
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp/xmlrpc.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; Windows Live Writer 1.0)

    I’ve tried it with the full IP, tried it with just the first two octets, recreated secure.htaccess and applied it each time. It’s becoming a bit of a pita, about ready to just remove it and move on.

    Any suggestion before I do?

    #15847 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    You only need 1 block of code and whitelist the IP and or hostname in that 1 block of code.  By using 2 blocks of code you are actually cancelling out/negating the whitelist you did in the other block of code.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>
    #15848 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Jim Williamson
    Participant

    gah, okay, I thought one was for publisher, one was for trackbacks…
    I’ll ditch the first one then.

    thanks

    EDIT: That did it, thanks

    #15853 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that did the trick!

    Yep, the post is not 100% clear about what to do so I added a note to the original topic above.  ;)

    Note:  If you are using this code then you would not also add the code above.  This is a 2 for 1 deal.  You are combining the code above and adding something additional to the code above.

    #16142 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Paulin Halenria
    Participant

    Hello

    I tried to allow wordpress.com domain for Jetpack but it doesn’t seem to work as expected.

    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    Allow from wordpress.com
    </FilesMatch>
    

    But in the logs, I still have this

    [403 GET / HEAD Request: 9 juillet 2014 - 19 h 53 min]
     Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
     Solution: N/A - Hacker/Spammer Blocked/Forbidden
     REMOTE_ADDR: 66.155.9.148
     Host Name: wordpress.com
     SERVER_PROTOCOL: HTTP/1.0
     HTTP_CLIENT_IP:
     HTTP_FORWARDED:
     HTTP_X_FORWARDED_FOR:
     HTTP_X_CLUSTER_CLIENT_IP:
     REQUEST_METHOD: GET
     HTTP_REFERER:
     REQUEST_URI: /xmlrpc.php?for=jetpack
     QUERY_STRING:
     HTTP_USER_AGENT: The Incutio XML-RPC PHP Library

    And Jetpack see the website offline

    i.imgur.com/BpVlF7w.png

    Should I Allow the IP address 66.155.9.148 directly ? The reverse of this ip points to wordpress.com but the domain wordpress.com doesn’t point to this IP address.

    Thanks
    Cedric

    • This reply was modified 2 months, 1 week ago by  AITpro Admin.
    #16144 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Make sure that you are doing all of the Custom Code steps.  Save the Custom Code, create a new master .htaccess file and activate the htaccess file.  If that is not the problem then…

    What is probably the cause of the block is that Server Protocol HTTP/1.0 is being used and you are using the Server Protocol HTTP/1.0 spambot/hackerbot Bonus Custom Code and blocking Server Protocol HTTP/1.0 sitewide instead of just using that code for ONLY your Login page.  If you are using the Bonus Custom Code in the link below then make sure that it is not being used sitewide.

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

    • This reply was modified 2 months, 1 week ago by  AITpro Admin.
    #17922 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Glasairmell
    Participant

    Hi,

    Added the two for one code to xxxx-land and I am still getting the HTTP Status Code: 503 Service Unavailable. The Incutio XML-RPC – IXR Client/Server Response checks out ok and I am seeing the bonus code in the .htaccess . On 5 other sites it is working perfectly. Any suggestions?
    Thank you!

    #17923 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    I assume you are checking using the BPS Pro XML-RPC Exploit Checker Pro-Tool?  503 HTTP Status Response code typically means that a website is in Maintenance Mode.  Is the site in Maintenance Mode?

    #17950 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Glasairmell
    Participant

    Yes I am using the checker and no the site is not in maintenance mode.

    HTTP Status Code: 503 Service Unavailable
    
    Headers: Array
    (
        [date] => Thu, 18 Sep 2014 18:20:33 GMT
        [server] => Apache/2
        [x-powered-by] => PHP/5.3.28
        [set-cookie] => PHPSESSID=bdkmbhqkl7avi1vl2upb19k962; path=/
        [expires] => Sat, 26 Jul 1997 05:00:00 GMT
        [cache-control] => private, no-cache, no-store, proxy-revalidate, no-transform
        [pragma] => no-cache
        [vary] => Cookie,Accept-Encoding,User-Agent
        [status] => 503 Service Temporarily Unavailable
        [retry-after] => -435761
        [content-length] => 3257
        [connection] => close
        [content-type] => text/html; charset=UTF-8
    )
    • This reply was modified 1 day, 9 hours ago by  AITpro Admin.
    #17952 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Ok I am not really sure why you are seeing a 503 Status Response, but I checked your site remotely using the BPS Pro Website Headers Pro-Tool and I am seeing a 200 OK Status Response so that is of course the most important thing – means everything is actually good/no actual problems with this website.  When I check your site remotely with BPS Pro XML-RPC Exploit Checker Pro-Tool I am seeing

    Yes, the WordPress xmlrpc.php file is protected and is NOT exploitable.

    and also a 404 Status Response and not a 503 Status Response, which would mean the xmlrpc.php file has been deleted on this website (see following check below).  One thing that seems a little odd is the URL is not the root URL of your site in the returned Headers and is instead the /german-shepards/ folder.  I assume this is some sort of redirect or some sort of folder structure issue.  In any case everything looks good/fine.

    HTTP Status Code: 200 OK
    
    Headers: Array
    (
    [date] => Thu, 18 Sep 2014 18:32:49 GMT
    [server] => Apache/2
    [x-powered-by] => PHP/5.3.28
    [vary] => Accept-Encoding,Cookie,User-Agent
    [cache-control] => max-age=3, must-revalidate
    [wp-super-cache] => Served supercache file from PHP
    [content-encoding] => gzip
    [content-length] => 9009
    [connection] => close
    [content-type] => text/html; charset=UTF-8
    )

    Remote check for website:  xxxx-land

    HTTP Status Code: 404 Not Found
    
    Headers: Array
    (
    [date] => Thu, 18 Sep 2014 18:36:33 GMT
    [server] => Apache/2
    [x-powered-by] => PHP/5.3.28
    [vary] => Accept-Encoding,Cookie,User-Agent
    [set-cookie] => wfvt_1508155421=541b26315d69d; expires=Thu, 18-Sep-2014 19:06:33 GMT; path=/; httponly
    [x-pingback] => http://xxxx-land.com/german-shepherds/xmlrpc.php
    [expires] => Wed, 11 Jan 1984 05:00:00 GMT
    [cache-control] => no-cache, must-revalidate, max-age=0
    [pragma] => no-cache
    [content-encoding] => gzip
    [content-length] => 6133
    [connection] => close
    [content-type] => text/html; charset=UTF-8
    )
    • This reply was modified 1 day, 9 hours ago by  AITpro Admin.
    #17956 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    Glasairmell
    Participant

    Ok will not worry about it then. Thank you.

    Wordpress is installed in a sub directory on this site as you probably know. Not sure what is causing that.

    #17957 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Ok then that is actually normal and what is supposed to happen if you have a GWIOD WordPress installation – Giving WordPress Its Own Directory.  The only other things that I see that could be affecting the HTTP Status Response on your end would be Wordfence or WP Super Cache.  I believe Wordfence has some kind of XML-RPC protection thing, but have no idea what that is.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.