Topic: WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Tagged: Bonus Custom Code, DDoS, WordPress XML-RPC, xmlrpc, xmlrpc.php

This topic has 49 replies, 16 voices, and was last updated 1 year, 2 months ago by AITpro Admin.

Viewing 15 posts - 16 through 30 (of 50 total)

← 1 2 3 4 →

Author

Posts
September 18, 2014 at 12:05 pm #17958
AITpro Admin
Keymaster

Hmm interesting. I just checked one my GWIOD testing websites remotely and also got a 404 Status Response. When I check from within the site I get a 403 Status Response. So the 404 Status Response is normal for GWIOD sites when checking them remotely. The 503 Status Response is unusual so my best guess is something else is coming into play. Not really sure what that would be. The most important check is the first check and the second check just shows your Headers Response.
September 18, 2014 at 12:05 pm #17959
Glasairmell
Participant

You are correct. I disabled Wordfence firewall and the check functions normally.
September 18, 2014 at 12:10 pm #17960
AITpro Admin
Keymaster

Great! Thanks for confirming that.
October 3, 2014 at 5:50 am #18262
Devon Woods
Participant
[Topic moved to this relevant topic]

I am receiving the following in my logs from an autoposting service that I want to be able to post on my site but looks like BPS is blocking it:
```
[403 GET / HEAD Request: October 3, 2014 7:48 am]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: x.x.x.x
Host Name: [removed for privacy]
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/bulletproof-security/403.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

I have added the IP address to be allowed in the XML-RPC DDoS Protection code in .htaccess

# XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.

<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
Allow from x.x.x.  <---Note: I have the first 3 octets of the IP address entered
</FilesMatch>
```
Is this all that needs to be done to rectify this issue?
October 3, 2014 at 7:04 am #18273
AITpro Admin
Keymaster

It does not appear that what is being blocked is the WordPress xmlrpc.php file based on the Security Log entry so check if that is really the issue/problem first by deleting the XML-RPC Bonus Custom Code from your root .htaccess file and testing to see if the autoposting service is able to post to your site.
July 15, 2015 at 4:17 am #24010
George Mohan
Participant
Any other solution for this DDos attack Server overload attack:
```
[Wed Jul 15 16:30:43.644073 2015] [access_compat:error] [pid 25456] [client 108.162.254.137:38632] AH01797: client denied by server configuration: /home/username/public_html/xmlrpc.php
```
July 15, 2015 at 10:39 am #24017
AITpro Admin
Keymaster

The Server log entry shows that the attack is being blocked: “…client denied by server configuration…”. Means that the attack was blocked/forbidden so nothing else needs to be done since the attack is already being handled/taken care of.
September 25, 2015 at 9:16 am #25262
Terry
Participant

[topic has been merged into this relevant topic]
I purchased and installed BPS Pro. I use xmlrpc from a third party site. After installing no one could login using the xmlrpc.php I removed BPS pro and went back to the free version. I removed the 3 tables created in the database and the section in the wpconfig file. It still does not allow access to xmlrpc.php. Where do I find the code added by BPS Pro to remove so my site is working properly again.
September 25, 2015 at 9:28 am #25265
AITpro Admin
Keymaster

@ Terry – are you using the XML-RPC Bonus Custom Code in this forum topic? If so, you can either add the additional IP addresses that need to be whitelisted or you can remove the code from BPS Custom Code.

BPS and BPS Pro have built-in troubleshooting steps. Everything can be turned On or Off individually for troubleshooting. See the BPS Pro troubleshooting steps here: BPS Pro Troubleshooting Steps
October 14, 2015 at 1:08 am #25730
Chris Moon
Participant
Wondering what are the Allowed IP addresses in the code I don’t recognize any of them what are they for? Are they examples which should the be deleted ?
```
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>
```
October 14, 2015 at 1:15 am #25732
AITpro Admin
Keymaster

The IP addresses are JetPack/Automattic IP addresses and are used to: Whitelist Jetpack/ Automattic CIDR IP Address Blocks. If you are not using JetPack then leaving or removing the IP addresses does not matter either way. If you are using JetPack then you need to leave the IP addresses.
October 14, 2015 at 1:19 am #25735
Chris Moon
Participant

ok thanks for the clarification.
January 4, 2016 at 3:46 am #27700
YoolsLoganta
Participant

Hi there,

The xmlrpc.php file on several of my clients websites causes their traffic to suddenly go through the roof. If I apply this code in BPS Pro, will this stop the attacks and reduce the traffic?
Thanks!
January 4, 2016 at 9:31 am #27705
AITpro Admin
Keymaster

If you are referring to something like the XML Quadratic Blowup Attack attack vector (see below) then yep then this code will protect against that. This newer Bonus Custom Code may also may be what you are looking for: http://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.

Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits
February 10, 2016 at 9:15 pm #28201
weblou
Participant
Hi, I’m using the Double Bonus Trackback Spam Protection Code and I’d like to whitelist a service that gets posts and sends them to Facebook. Here’s a sample from the security log.
```
[403 POST Request: February 11, 2016 - 11:08 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: XX.XX.XXX.XXX
Host Name: XXX-XX-XX-XXX-XXX.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: XX.XX.XXX.XXX
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /xmlrpc.php
QUERY_STRING: 
HTTP_USER_AGENT: Zapier
REQUEST BODY: 
<methodCall>
<methodName>wp.getPosts</methodName>
<params>
<param>
<value><string></string></value>
</param>
<param>
<value><string>[Wordpress Username]</string></value>
</param>
<param>
<value><string>[Wordpress Password]</string></value>
</param>
<param>
<value><struct>
</struct></value>
</param>
</params>
</methodCall>
```
The X’s I’ve swapped above are numbers that changes everytime for the following:
REMOTE_ADDR
Host Name
HTTP_X_FORWARDED_FOR

How do I whitelist the bot coming from this?

Thanks
Author

Posts