Home › Forums › BulletProof Security Pro › WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php
Tagged: Bonus Custom Code, DDoS, WordPress XML-RPC, xmlrpc, xmlrpc.php
- This topic has 49 replies, 16 voices, and was last updated 1 year, 9 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
WordPress uses the Incutio XML-RPC Library, which is totally awesome and amazing and it is a shame that hackers try to exploit this. This is not a new issue with the xmlrpc.php file and the WordPress XML-RPC Server/Library and has been known for quite a while now. Recently there have been several reported DDoS Attacks/Exploits that are exploiting the WordPress XML-RPC Server/Protocol/xmlrpc.php file. For anyone who uses the WordPress XML-RPC server features/capabilities on their website, there is a risk of DDoS exploitation. How high that risk is I do not have a definite “odds or percentage” number, but the reality is that the possibility of DDoS exploitation does exist.
The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code below does completely turn off/disable IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this code below will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code as shown in the example below. If you have added/whitelisted your IP address (or multiple IP addresses) in the XML-RPC DDoS PROTECTION Bonus Custom Code below then you can still remote post to your website.
Highly Recommended: Use the Double Bonus Trackback Spam Protection Code
IMPORTANT NOTE for Jetpack Plugin Users:
If you have the Jetpack plugin installed then use the recommended Jetpack htaccess code for your website.
Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.
Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits
Checking to ensure that the WordPress XML-RPC DDoS Protection .htaccess code is working on your website
BPS: Enter/type in the URL to your xmlrpc.php file on your website. Example: example.com/xmlrpc.php. You should see a 403 Forbidden error, which means your xmlrpc.php file is protected.
BPS Pro: Either use the method above for BPS or use the BPS Pro Pro-Tool: XML-RPC Exploit Checker to check your local website or check your other websites remotely. The XML-RPC Exploit Checker Pro-Tool uses the IXR XML-RPC Client script to connect to the WordPress IXR Server & also displays Headers for extra confirmation that the xmlrpc.php file is protected.
XML-RPC DDoS PROTECTION Bonus Code
1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
2. Click the Save Root Custom Code button.
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.# XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow #Allow from x.x.x. Deny from all </FilesMatch>
Recommended Code for Jetpack Plugin Users
# Jetpack XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
NOT Recommended for Jetpack Plugin Users: The reason this code below is not recommended if you have the Jetpack plugin installed is that the Jetpack/Automattic IP addresses may change in the future.
# XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow #Allow from x.x.x. # Whitelist Jetpack/Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Deny from all </FilesMatch>
Notes/Examples: Your BPS Security Log will log anything that is being blocked and you can create a whitelist rule based on either the IP address or Host Name that is being blocked to whitelist that IP address or Host Name.
If you want to whitelist your IP Address to allow ONLY your IP address to be able to access and connect to/with the xmlrpc.php file and WordPress IXR Server then uncomment the #Allow from x.x.x. line of .htaccess code by removing the # sign in front of “Allow from x.x.x.” and add your actual IP address by replacing the x’s with your actual IP address (your public/ISP IP address is displayed on the BPS System Info page).
Example using IP address 99.88.77.66 (it is recommended that you use 3 octets (x.x.x.) of your IP address instead of 4 octets (x.x.x.x) of your IP address:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow # Whitelist Jetpack/Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Allow from 99.88.77. Deny from all </FilesMatch>
You can also whitelist Host Names instead of or in addition to IP addresses:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow # Whitelist Jetpack/Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Allow from 99.88.77. Allow from example.com Allow from wordpress.com Deny from all </FilesMatch>
Double Bonus: Block/Protect the wp-trackback.php file to prevent trackbacks or pingbacks (spambacks) from being possible
Note: If you are using this code then you would not also add the code above. This is a 2 for 1 deal. You are combining the code above and adding something additional to the code above.
WordPress has settings that allow you to turn off trackbacks and pingbacks, but unchecking these WordPress Discussion Settings: “Allow link notifications from other blogs (pingbacks and trackbacks)” and “Attempt to notify any blogs linked to from the article” does not completely turn off/disable pingback/trackback capabilties on a website. Trackback and Pingback Spammers can still expoit the wp-trackback.php file even if you have turned off/disabled these options.
Using this code below means that you will not be able to get pingbacks and trackbacks from other websites on your website. Personally we have not had good results with allowing trackbacks and pingbacks on our sites. When we were allowing trackbacks/pingbacks 9 out of 10 pingbacks/trackbacks were spam.
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # Using this code blocks Pingbacks and Trackbacks on your website. # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow #Allow from x.x.x. Deny from all </FilesMatch>
Recommended Code for Jetpack Plugin Users
# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
NOT Recommended for Jetpack Plugin Users: The reason this code below is not recommended if you have the Jetpack plugin installed is that the Jetpack/Automattic IP addresses may change in the future.
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow #Allow from x.x.x. # Whitelist Jetpack/ Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Deny from all </FilesMatch>
Additionally you can add a redirect for anyone trying to use the /trackback/ URI/URL directly:
RedirectMatch 301 ^/trackback/$ https://www.google.com/
Note: If you have a GWIOD (Giving WordPress Its Own Directory) website then the redirect code needs to go in the site root .htaccess file.Hal9000ParticipantHi Admin, I have a question for the xml-RPC DDos Protection.
Just for understanding.Quote: “XML-RPC DDoS PROTECTION
You can whitelist your IP address if you use A Blog Client
or want to whitelist your IP address for any other Reasons. ”<FilesMatch "^(xmlrpc\.php)"> Order Deny, Allow Deny from all # Allow from x.x.x. </ FilesMatch>
I wear contain the IP of the server on which the page is hosted?
Because my own IP (which I’ll go to the server with the ‘every 24 hours (change in Germany there is a forced separation of the line after 24 hours)
The will assign the IP again.Would I enter the server IP I might not get to the server?
I believe I am standing on the tube. (German saying)Thanks for the help.
Best regards
Mario.AITpro AdminKeymasterYou can whitelist 1, 2, 3 or 4 octets of your IP address. If the first octet of your IP address is always the same then whitelist 1 octet. If 2 octets of your IP address are always the same whitelist 2 octets, etc.
# whitelist 1 octet of your IP address Allow from 99. # whitelist 2 octets of your IP address Allow from 99.88. # whitelist 3 octets of your IP address Allow from 99.88.77.
Jim WilliamsonParticipantOkay, I have these two segments added:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all Allow from (first 3 octets of my office exit IP in format xx.xx.xx.) </FilesMatch> <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all #Allow from 63.76.5. </FilesMatch>
That corresponds to my office external IP, Yet I am still getting this int he log files
[403 GET / HEAD Request: 25 June, 2014 - 10:21] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: (office exit IP) Host Name: (office exit IP) SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp/xmlrpc.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; Windows Live Writer 1.0)
I’ve tried it with the full IP, tried it with just the first two octets, activated BulletProof Mode and applied it each time. It’s becoming a bit of a pita, about ready to just remove it and move on.
Any suggestion before I do?
AITpro AdminKeymasterYou only need 1 block of code and whitelist the IP and or hostname in that 1 block of code. By using 2 blocks of code you are actually cancelling out/negating the whitelist you did in the other block of code.
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # Using this code blocks Pingbacks and Trackbacks on your website. # You can whitelist your IP address if you use A Weblog Client # or want to whitelist your IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all #Allow from x.x.x. </FilesMatch>
Jim WilliamsonParticipantgah, okay, I thought one was for publisher, one was for trackbacks…
I’ll ditch the first one then.thanks
EDIT: That did it, thanks
AITpro AdminKeymasterGreat! Thanks for confirming that did the trick!
Yep, the post is not 100% clear about what to do so I added a note to the original topic above. 😉
Note: If you are using this code then you would not also add the code above. This is a 2 for 1 deal. You are combining the code above and adding something additional to the code above.
Paulin HalenriaParticipantHello
I tried to allow wordpress.com domain for Jetpack but it doesn’t seem to work as expected.
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all Allow from wordpress.com </FilesMatch>
But in the logs, I still have this
[403 GET / HEAD Request: 9 juillet 2014 - 19 h 53 min] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 66.155.9.148 Host Name: wordpress.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /xmlrpc.php?for=jetpack QUERY_STRING: HTTP_USER_AGENT: The Incutio XML-RPC PHP Library
And Jetpack see the website offline
i.imgur.com/BpVlF7w.png
Should I Allow the IP address 66.155.9.148 directly ? The reverse of this ip points to wordpress.com but the domain wordpress.com doesn’t point to this IP address.
Thanks
CedricAITpro AdminKeymasterMake sure that you are doing all of the Custom Code steps. Save the Custom Code, create a new master .htaccess file and activate the htaccess file. If that is not the problem then…
What is probably the cause of the block is that Server Protocol HTTP/1.0 is being used and you are using the Server Protocol HTTP/1.0 spambot/hackerbot Bonus Custom Code and blocking Server Protocol HTTP/1.0 sitewide instead of just using that code for ONLY your Login page. If you are using the Bonus Custom Code in the link below then make sure that it is not being used sitewide.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
GlasairmellParticipantHi,
Added the two for one code to xxxx-land and I am still getting the HTTP Status Code: 503 Service Unavailable. The Incutio XML-RPC – IXR Client/Server Response checks out ok and I am seeing the bonus code in the .htaccess . On 5 other sites it is working perfectly. Any suggestions?
Thank you!AITpro AdminKeymasterI assume you are checking using the BPS Pro XML-RPC Exploit Checker Pro-Tool? 503 HTTP Status Response code typically means that a website is in Maintenance Mode. Is the site in Maintenance Mode?
GlasairmellParticipantYes I am using the checker and no the site is not in maintenance mode.
HTTP Status Code: 503 Service Unavailable Headers: Array ( [date] => Thu, 18 Sep 2014 18:20:33 GMT [server] => Apache/2 [x-powered-by] => PHP/5.3.28 [set-cookie] => PHPSESSID=bdkmbhqkl7avi1vl2upb19k962; path=/ [expires] => Sat, 26 Jul 1997 05:00:00 GMT [cache-control] => private, no-cache, no-store, proxy-revalidate, no-transform [pragma] => no-cache [vary] => Cookie,Accept-Encoding,User-Agent [status] => 503 Service Temporarily Unavailable [retry-after] => -435761 [content-length] => 3257 [connection] => close [content-type] => text/html; charset=UTF-8 )
AITpro AdminKeymasterOk I am not really sure why you are seeing a 503 Status Response, but I checked your site remotely using the BPS Pro Website Headers Pro-Tool and I am seeing a 200 OK Status Response so that is of course the most important thing – means everything is actually good/no actual problems with this website. When I check your site remotely with BPS Pro XML-RPC Exploit Checker Pro-Tool I am seeing
Yes, the WordPress xmlrpc.php file is protected and is NOT exploitable.
and also a 404 Status Response and not a 503 Status Response, which would mean the xmlrpc.php file has been deleted on this website (see following check below). One thing that seems a little odd is the URL is not the root URL of your site in the returned Headers and is instead the /german-shepards/ folder. I assume this is some sort of redirect or some sort of folder structure issue. In any case everything looks good/fine.
HTTP Status Code: 200 OK Headers: Array ( [date] => Thu, 18 Sep 2014 18:32:49 GMT [server] => Apache/2 [x-powered-by] => PHP/5.3.28 [vary] => Accept-Encoding,Cookie,User-Agent [cache-control] => max-age=3, must-revalidate [wp-super-cache] => Served supercache file from PHP [content-encoding] => gzip [content-length] => 9009 [connection] => close [content-type] => text/html; charset=UTF-8 )
Remote check for website: xxxx-land
HTTP Status Code: 404 Not Found Headers: Array ( [date] => Thu, 18 Sep 2014 18:36:33 GMT [server] => Apache/2 [x-powered-by] => PHP/5.3.28 [vary] => Accept-Encoding,Cookie,User-Agent [set-cookie] => wfvt_1508155421=541b26315d69d; expires=Thu, 18-Sep-2014 19:06:33 GMT; path=/; httponly [x-pingback] => http://xxxx-land.com/german-shepherds/xmlrpc.php [expires] => Wed, 11 Jan 1984 05:00:00 GMT [cache-control] => no-cache, must-revalidate, max-age=0 [pragma] => no-cache [content-encoding] => gzip [content-length] => 6133 [connection] => close [content-type] => text/html; charset=UTF-8 )
GlasairmellParticipantOk will not worry about it then. Thank you. Wordpress is installed in a sub directory on this site as you probably know. Not sure what is causing that.
AITpro AdminKeymasterOk then that is actually normal and what is supposed to happen if you have a GWIOD WordPress installation – Giving WordPress Its Own Directory. The only other things that I see that could be affecting the HTTP Status Response on your end would be Wordfence or WP Super Cache. I believe Wordfence has some kind of XML-RPC protection thing, but have no idea what that is.
-
AuthorPosts
- You must be logged in to reply to this topic.