Home › Forums › BulletProof Security Pro › WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php
Tagged: Bonus Custom Code, DDoS, WordPress XML-RPC, xmlrpc, xmlrpc.php
- This topic has 49 replies, 16 voices, and was last updated 1 year, 9 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
Hmm interesting. I just checked one my GWIOD testing websites remotely and also got a 404 Status Response. When I check from within the site I get a 403 Status Response. So the 404 Status Response is normal for GWIOD sites when checking them remotely. The 503 Status Response is unusual so my best guess is something else is coming into play. Not really sure what that would be. The most important check is the first check and the second check just shows your Headers Response.
GlasairmellParticipantYou are correct. I disabled Wordfence firewall and the check functions normally.
AITpro AdminKeymasterGreat! Thanks for confirming that.
Devon WoodsParticipant[Topic moved to this relevant topic]
I am receiving the following in my logs from an autoposting service that I want to be able to post on my site but looks like BPS is blocking it:
[403 GET / HEAD Request: October 3, 2014 7:48 am] Event Code: PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: x.x.x.x Host Name: [removed for privacy] SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/bulletproof-security/403.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) I have added the IP address to be allowed in the XML-RPC DDoS Protection code in .htaccess # XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist your IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all Allow from x.x.x. <---Note: I have the first 3 octets of the IP address entered </FilesMatch>
Is this all that needs to be done to rectify this issue?
AITpro AdminKeymasterIt does not appear that what is being blocked is the WordPress xmlrpc.php file based on the Security Log entry so check if that is really the issue/problem first by deleting the XML-RPC Bonus Custom Code from your root .htaccess file and testing to see if the autoposting service is able to post to your site.
George MohanParticipantAny other solution for this DDos attack Server overload attack:
[Wed Jul 15 16:30:43.644073 2015] [access_compat:error] [pid 25456] [client 108.162.254.137:38632] AH01797: client denied by server configuration: /home/username/public_html/xmlrpc.php
AITpro AdminKeymasterThe Server log entry shows that the attack is being blocked: “…client denied by server configuration…”. Means that the attack was blocked/forbidden so nothing else needs to be done since the attack is already being handled/taken care of.
TerryParticipant[topic has been merged into this relevant topic]
I purchased and installed BPS Pro. I use xmlrpc from a third party site. After installing no one could login using the xmlrpc.php I removed BPS pro and went back to the free version. I removed the 3 tables created in the database and the section in the wpconfig file. It still does not allow access to xmlrpc.php. Where do I find the code added by BPS Pro to remove so my site is working properly again.AITpro AdminKeymaster@ Terry – are you using the XML-RPC Bonus Custom Code in this forum topic? If so, you can either add the additional IP addresses that need to be whitelisted or you can remove the code from BPS Custom Code.
BPS and BPS Pro have built-in troubleshooting steps. Everything can be turned On or Off individually for troubleshooting. See the BPS Pro troubleshooting steps here: BPS Pro Troubleshooting Steps
Chris MoonParticipantWondering what are the Allowed IP addresses in the code I don’t recognize any of them what are they for? Are they examples which should the be deleted ?
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow # Whitelist Jetpack/ Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Deny from all </FilesMatch>
AITpro AdminKeymasterThe IP addresses are JetPack/Automattic IP addresses and are used to: Whitelist Jetpack/ Automattic CIDR IP Address Blocks. If you are not using JetPack then leaving or removing the IP addresses does not matter either way. If you are using JetPack then you need to leave the IP addresses.
Chris MoonParticipantok thanks for the clarification.
YoolsLogantaParticipantHi there,
The xmlrpc.php file on several of my clients websites causes their traffic to suddenly go through the roof. If I apply this code in BPS Pro, will this stop the attacks and reduce the traffic?
Thanks!AITpro AdminKeymasterIf you are referring to something like the XML Quadratic Blowup Attack attack vector (see below) then yep then this code will protect against that. This newer Bonus Custom Code may also may be what you are looking for: http://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/
Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.
Protects against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits
weblouParticipantHi, I’m using the Double Bonus Trackback Spam Protection Code and I’d like to whitelist a service that gets posts and sends them to Facebook. Here’s a sample from the security log.
[403 POST Request: February 11, 2016 - 11:08 am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: XX.XX.XXX.XXX Host Name: XXX-XX-XX-XXX-XXX.compute-1.amazonaws.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: XX.XX.XXX.XXX HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /xmlrpc.php QUERY_STRING: HTTP_USER_AGENT: Zapier REQUEST BODY: <!--?xml version='1.0'?--> <methodCall> <methodName>wp.getPosts</methodName> <params> <param> <value><string></string></value> </param> <param> <value><string>[Wordpress Username]</string></value> </param> <param> <value><string>[Wordpress Password]</string></value> </param> <param> <value><struct> </struct></value> </param> </params> </methodCall>
The X’s I’ve swapped above are numbers that changes everytime for the following:
REMOTE_ADDR
Host Name
HTTP_X_FORWARDED_FORHow do I whitelist the bot coming from this?
Thanks
-
AuthorPosts
- You must be logged in to reply to this topic.