WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Viewing 15 posts - 16 through 30 (of 47 total)
  • Author
    Posts
  • #17958
    AITpro Admin
    Keymaster

    Hmm interesting.  I just checked one my GWIOD testing websites remotely and also got a 404 Status Response.  When I check from within the site I get a 403 Status Response.  So the 404 Status Response is normal for GWIOD sites when checking them remotely.  The 503 Status Response is unusual so my best guess is something else is coming into play.  Not really sure what that would be.  The most important check is the first check and the second check just shows your Headers Response.

    #17959
    Glasairmell
    Participant

    You are correct. I disabled Wordfence firewall and the check functions normally.

    #17960
    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that.

    #18262
    Devon Woods
    Participant

    [Topic moved to this relevant topic]

    I am receiving the following in my logs from an autoposting service that I want to be able to post on my site but looks like BPS is blocking it:

    [403 GET / HEAD Request: October 3, 2014 7:48 am]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: x.x.x.x
    Host Name: [removed for privacy]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/bulletproof-security/403.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
    
    I have added the IP address to be allowed in the XML-RPC DDoS Protection code in .htaccess
    
    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    Allow from x.x.x.  <---Note: I have the first 3 octets of the IP address entered
    </FilesMatch>

    Is this all that needs to be done to rectify this issue?

    #18273
    AITpro Admin
    Keymaster

    It does not appear that what is being blocked is the WordPress xmlrpc.php file based on the Security Log entry so check if that is really the issue/problem first by deleting the XML-RPC Bonus Custom Code from your root .htaccess file and testing to see if the autoposting service is able to post to your site.

    #24010
    George Mohan
    Participant

    Any other solution for this DDos attack Server overload attack:

    [Wed Jul 15 16:30:43.644073 2015] [access_compat:error] [pid 25456] [client 108.162.254.137:38632] AH01797: client denied by server configuration: /home/username/public_html/xmlrpc.php
    #24017
    AITpro Admin
    Keymaster

    The Server log entry shows that the attack is being blocked:  “…client denied by server configuration…”.  Means that the attack was blocked/forbidden so nothing else needs to be done since the attack is already being handled/taken care of.

    #25262
    Terry
    Participant

    [topic has been merged into this relevant topic]
    I purchased and installed BPS Pro. I use xmlrpc from a third party site. After installing no one could login using the xmlrpc.php I removed BPS pro and went back to the free version. I removed the 3 tables created in the database and the section in the wpconfig file. It still does not allow access to xmlrpc.php. Where do I find the code added by BPS Pro to remove so my site is working properly again.

    #25265
    AITpro Admin
    Keymaster

    @ Terry – are you using the XML-RPC Bonus Custom Code in this forum topic?  If so, you can either add the additional IP addresses that need to be whitelisted or you can remove the code from BPS Custom Code.

    BPS and BPS Pro have built-in troubleshooting steps.  Everything can be turned On or Off individually for troubleshooting.  See the BPS Pro troubleshooting steps here:  BPS Pro Troubleshooting Steps

    #25730
    Chris Moon
    Participant

    Wondering what are the Allowed IP addresses in the code I don’t recognize any of them what are they for? Are they examples which should the be deleted ?

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Deny from all
    </FilesMatch>
    #25732
    AITpro Admin
    Keymaster

    The IP addresses are JetPack/Automattic IP addresses and are used to:  Whitelist Jetpack/ Automattic CIDR IP Address Blocks.  If you are not using JetPack then leaving or removing the IP addresses does not matter either way.  If you are using JetPack then you need to leave the IP addresses.

    #25735
    Chris Moon
    Participant

    ok thanks for the clarification.

    #27700
    YoolsLoganta
    Participant

    Hi there,

    The xmlrpc.php file on several of my clients websites causes their traffic to suddenly go through the roof. If I apply this code in BPS Pro, will this stop the attacks and reduce the traffic?
    Thanks!

    #27705
    AITpro Admin
    Keymaster

    If you are referring to something like the XML Quadratic Blowup Attack attack vector (see below) then yep then this code will protect against that.  This newer Bonus Custom Code may also may be what you are looking for:  http://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

    Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.

    Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits

    #28201
    weblou
    Participant

    Hi, I’m using the Double Bonus Trackback Spam Protection Code and I’d like to whitelist a service that gets posts and sends them to Facebook. Here’s a sample from the security log.

    [403 POST Request: February 11, 2016 - 11:08 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: XX.XX.XXX.XXX
    Host Name: XXX-XX-XX-XXX-XXX.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: XX.XX.XXX.XXX
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /xmlrpc.php
    QUERY_STRING: 
    HTTP_USER_AGENT: Zapier
    REQUEST BODY: <!--?xml version='1.0'?-->
    <methodCall>
    <methodName>wp.getPosts</methodName>
    <params>
    <param>
    <value><string></string></value>
    </param>
    <param>
    <value><string>[Wordpress Username]</string></value>
    </param>
    <param>
    <value><string>[Wordpress Password]</string></value>
    </param>
    <param>
    <value><struct>
    </struct></value>
    </param>
    </params>
    </methodCall>
    

    The X’s I’ve swapped above are numbers that changes everytime for the following:
    REMOTE_ADDR
    Host Name
    HTTP_X_FORWARDED_FOR

    How do I whitelist the bot coming from this?

    Thanks

Viewing 15 posts - 16 through 30 (of 47 total)
  • You must be logged in to reply to this topic.