Home › Forums › BulletProof Security Pro › WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php
Tagged: Bonus Custom Code, DDoS, WordPress XML-RPC, xmlrpc, xmlrpc.php
- This topic has 49 replies, 16 voices, and was last updated 1 year, 9 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
Try adding the Xapier IP address and let me know what happens.
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # Using this code blocks Pingbacks and Trackbacks on your website. # You can whitelist your IP address if you use A Weblog Client # or want to whitelist your IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow # Whitelist Jetpack/ Automattic CIDR IP Address Blocks Allow from 192.0.64.0/18 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 # Zapier IP address Allow from 54.86.9.50 Deny from all </FilesMatch>
weblouParticipantHi, I tried it this morning and got back those logs the whole day. The remote address changes for each log, only the 1st octet is the same. The thing that stays the same is the user agent, can we block that instead? Or anyone can fake that? Please advise how I can go about this. I really want this protection, I’m seeing other blocked attempts going for the xml-rpc file.
Thanks in advance.
AITpro AdminKeymasterTry this: ADD IT TO THE CUSTOM CODE BOTTOM TEXT BOX.
#BuddyPress Anti-Spam Registration 2 # Filter by HTTP/1.0 & Referer GET or POST RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$ RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^(vapier)$ [NC,OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ /spam-prevention [R=301,L]
weblouParticipantI’m not getting the logs now, changed vapier to zapier in that code. Is this the final code to put in for this purpose?
What is this line’s purpose?:RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
AITpro AdminKeymaster@ weblou – I see you had an additional question that we did not get an email notification about.
In the example code this line is for “our” ait-pro.com domain in this example code so you would change the example code to your domain. The Rewrite Condition Referer check is checking that the Referer is not ait-pro.com.
RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
weblouParticipantHello, for the code you suggested above for our case, our web hosting’s tech team would like to ask if the 3rd line is correct:
#BuddyPress Anti-Spam Registration 2 # Filter by HTTP/1.0 & Referer GET or POST RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$ RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^(zapier)$ [NC,OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ /spam-prevention [R=301,L]
They say it should be:
RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]
Please advise if it’s correct to have the ! in that line.
We’ve been having lots of attempts to the xmlrpc.php file lately causing load errors in the server, even with this custom code. Here’s a sample log:[400 GET Bad Request: July 15, 2016 - 12:50 pm] Event Code: The request could not be understood by the server due to malformed syntax. Solution: N/A - Malformed Request - Not an Attack REMOTE_ADDR: 52.91.16.186 Host Name: ec2-52-91-16-186.compute-1.amazonaws.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /xmlrpc.php QUERY_STRING: HTTP_USER_AGENT:
AITpro AdminKeymaster@ weblou – If you want to allow the zavier user agent then yes you would use
RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]
. Also you would use your website domain name instead of the ait-pro.com domain name in this line of code:!^.*your-website-domain-name-here.com.* [OR]
The malformed request to the xmlrpc.php file has a blank user agent and the Server protocol is HTTP/1.0. Both of these things indicate this a spammer or hacker sending bad requests. ie the hacker or spammers code is broken so it cannot be used to do any harm to your website.
emre1905ParticipantHello,
I added the code but the file xmlrpc.php is still reachable.. How can I solve it?
Thats where I posted the code:
htaccess core -> custom code -> Root htaccess File Custom Code -> CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code hereAITpro AdminKeymaster@ emre1905 – Did you do all of the steps?
1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
2. Click the Save Root Custom Code button.
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.emre1905ParticipantYes, I did step 2 ( I am using .54.1), but I can still access these files.
AITpro AdminKeymaster@ emre1905 – Post the Bonus Custom that you used and a link to your website.
emre1905ParticipantI cant post a code here, I receive an error. Can I send you and email or a private message? I dont want to mention my site in public
AITpro AdminKeymaster@ emre1905 – Send the email to this email address: info at ait-pro dot com.
JennParticipantJust checking – if I add and save this custom code now, can I simply delete it from the “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE” custom code box later to enable xml-rpc functionality again? Or is using this code a permanent choice?
Thanks!
AITpro AdminKeymaster@ Jenn – To remove/delete Custom Code you just reverse the process of adding Custom Code:
1. Delete your custom code.
2. Click the Save Root Custom Code button (or wp-admin Custom Code button).
3. Go to the Security Modes page and click the (Root or wp-admin) BulletProof Mode activate button. -
AuthorPosts
- You must be logged in to reply to this topic.