WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Tagged: , , , ,

Viewing 15 posts - 31 through 45 (of 50 total)
1 2 3 4
  • Author
    Posts
  • February 11, 2016 at 8:29 am #28202
    AITpro Admin
    Keymaster

    Try adding the Xapier IP address and let me know what happens.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# Using this code blocks Pingbacks and Trackbacks on your website.
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.

<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
# Zapier IP address
Allow from 54.86.9.50
Deny from all
</FilesMatch>
    February 12, 2016 at 2:19 am #28208
    weblou
    Participant

    Hi, I tried it this morning and got back those logs the whole day. The remote address changes for each log, only the 1st octet is the same. The thing that stays the same is the user agent, can we block that instead? Or anyone can fake that? Please advise how I can go about this. I really want this protection, I’m seeing other blocked attempts going for the xml-rpc file.

    Thanks in advance.

    February 12, 2016 at 7:41 pm #28212
    AITpro Admin
    Keymaster

    Try this: ADD IT TO THE CUSTOM CODE BOTTOM TEXT BOX.

     #BuddyPress Anti-Spam Registration 2
# Filter by HTTP/1.0 & Referer GET or POST
RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$
RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^(vapier)$ [NC,OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ /spam-prevention [R=301,L]
    February 13, 2016 at 8:05 pm #28224
    weblou
    Participant

    I’m not getting the logs now, changed vapier to zapier in that code. Is this the final code to put in for this purpose?
    What is this line’s purpose?:

    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    February 22, 2016 at 12:20 pm #28273
    AITpro Admin
    Keymaster

    @ weblou – I see you had an additional question that we did not get an email notification about.

    In the example code this line is for “our” ait-pro.com domain in this example code so you would change the example code to your domain. The Rewrite Condition Referer check is checking that the Referer is not ait-pro.com.

    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    July 15, 2016 at 12:23 am #30297
    weblou
    Participant

    Hello, for the code you suggested above for our case, our web hosting’s tech team would like to ask if the 3rd line is correct:

    #BuddyPress Anti-Spam Registration 2
# Filter by HTTP/1.0 & Referer GET or POST
RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$
RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^(zapier)$ [NC,OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ /spam-prevention [R=301,L]

    They say it should be:

    RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]

    Please advise if it’s correct to have the ! in that line.
    We’ve been having lots of attempts to the xmlrpc.php file lately causing load errors in the server, even with this custom code. Here’s a sample log:

    [400 GET Bad Request: July 15, 2016 - 12:50 pm]
Event Code: The request could not be understood by the server due to malformed syntax.
Solution: N/A - Malformed Request - Not an Attack
REMOTE_ADDR: 52.91.16.186
Host Name: ec2-52-91-16-186.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /xmlrpc.php
QUERY_STRING:
HTTP_USER_AGENT:
    July 15, 2016 at 12:47 am #30299
    AITpro Admin
    Keymaster

    @ weblou – If you want to allow the zavier user agent then yes you would use RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]. Also you would use your website domain name instead of the ait-pro.com domain name in this line of code: !^.*your-website-domain-name-here.com.* [OR]

    The malformed request to the xmlrpc.php file has a blank user agent and the Server protocol is HTTP/1.0. Both of these things indicate this a spammer or hacker sending bad requests. ie the hacker or spammers code is broken so it cannot be used to do any harm to your website.

    November 4, 2016 at 2:48 pm #31314
    emre1905
    Participant

    Hello,

    I added the code but the file xmlrpc.php is still reachable.. How can I solve it?
    Thats where I posted the code:
    htaccess core -> custom code -> Root htaccess File Custom Code -> CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here

    November 4, 2016 at 3:49 pm #31315
    AITpro Admin
    Keymaster

    @ emre1905 – Did you do all of the steps?

    1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    2. Click the Save Root Custom Code button.
    3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
    3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

    November 6, 2016 at 6:05 am #31329
    emre1905
    Participant

    Yes, I did step 2 ( I am using .54.1), but I can still access these files.

    November 6, 2016 at 6:35 am #31330
    AITpro Admin
    Keymaster

    @ emre1905 – Post the Bonus Custom that you used and a link to your website.

    November 9, 2016 at 10:45 am #31334
    emre1905
    Participant

    I cant post a code here, I receive an error. Can I send you and email or a private message? I dont want to mention my site in public

    November 9, 2016 at 11:46 am #31335
    AITpro Admin
    Keymaster

    @ emre1905 – Send the email to this email address:  info at ait-pro dot com.

    November 14, 2016 at 5:42 pm #31385
    Jenn
    Participant

    Just checking – if I add and save this custom code now, can I simply delete it from the “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE” custom code box later to enable xml-rpc functionality again? Or is using this code a permanent choice?

    Thanks!

    November 14, 2016 at 6:00 pm #31386
    AITpro Admin
    Keymaster

    @ Jenn – To remove/delete Custom Code you just reverse the process of adding Custom Code:

    1. Delete your custom code.
    2. Click the Save Root Custom Code button (or wp-admin Custom Code button).
    3. Go to the Security Modes page and click the (Root or wp-admin) BulletProof Mode activate button.

  • Author
    Posts
Viewing 15 posts - 31 through 45 (of 50 total)
1 2 3 4
  • You must be logged in to reply to this topic.