WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Home Forums BulletProof Security Pro WordPress XML-RPC DDoS Protection – protect xmlrpc.php, block xmlrpc.php, forbid xmlrpc.php

Viewing 15 posts - 31 through 45 (of 47 total)
  • Author
    Posts
  • #28202
    AITpro Admin
    Keymaster

    Try adding the Xapier IP address and let me know what happens.

    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    # Zapier IP address
    Allow from 54.86.9.50
    Deny from all
    </FilesMatch>
    #28208
    weblou
    Participant

    Hi, I tried it this morning and got back those logs the whole day. The remote address changes for each log, only the 1st octet is the same. The thing that stays the same is the user agent, can we block that instead? Or anyone can fake that? Please advise how I can go about this. I really want this protection, I’m seeing other blocked attempts going for the xml-rpc file.

    Thanks in advance.

    #28212
    AITpro Admin
    Keymaster

    Try this: ADD IT TO THE CUSTOM CODE BOTTOM TEXT BOX.

     #BuddyPress Anti-Spam Registration 2
    # Filter by HTTP/1.0 & Referer GET or POST
    RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$
    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^(vapier)$ [NC,OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ /spam-prevention [R=301,L]
    #28224
    weblou
    Participant

    I’m not getting the logs now, changed vapier to zapier in that code. Is this the final code to put in for this purpose?
    What is this line’s purpose?:

    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    #28273
    AITpro Admin
    Keymaster

    @ weblou – I see you had an additional question that we did not get an email notification about.

    In the example code this line is for “our” ait-pro.com domain in this example code so you would change the example code to your domain. The Rewrite Condition Referer check is checking that the Referer is not ait-pro.com.

    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    #30297
    weblou
    Participant

    Hello, for the code you suggested above for our case, our web hosting’s tech team would like to ask if the 3rd line is correct:

    #BuddyPress Anti-Spam Registration 2
    # Filter by HTTP/1.0 & Referer GET or POST
    RewriteCond %{REQUEST_URI} ^(/register|/activate/|wp-login\.php|xmlrpc\.php)$
    RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^(zapier)$ [NC,OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ /spam-prevention [R=301,L]

    They say it should be:

    RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]

    Please advise if it’s correct to have the ! in that line.
    We’ve been having lots of attempts to the xmlrpc.php file lately causing load errors in the server, even with this custom code. Here’s a sample log:

    [400 GET Bad Request: July 15, 2016 - 12:50 pm]
    Event Code: The request could not be understood by the server due to malformed syntax.
    Solution: N/A - Malformed Request - Not an Attack
    REMOTE_ADDR: 52.91.16.186
    Host Name: ec2-52-91-16-186.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /xmlrpc.php
    QUERY_STRING:
    HTTP_USER_AGENT:
    #30299
    AITpro Admin
    Keymaster

    @ weblou – If you want to allow the zavier user agent then yes you would use RewriteCond %{HTTP_USER_AGENT} !^(zapier)$ [NC,OR]. Also you would use your website domain name instead of the ait-pro.com domain name in this line of code: !^.*your-website-domain-name-here.com.* [OR]

    The malformed request to the xmlrpc.php file has a blank user agent and the Server protocol is HTTP/1.0. Both of these things indicate this a spammer or hacker sending bad requests. ie the hacker or spammers code is broken so it cannot be used to do any harm to your website.

    #31314
    emre1905
    Participant

    Hello,

    I added the code but the file xmlrpc.php is still reachable.. How can I solve it?
    Thats where I posted the code:
    htaccess core -> custom code -> Root htaccess File Custom Code -> CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here

    #31315
    AITpro Admin
    Keymaster

    @ emre1905 – Did you do all of the steps?

    1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    2. Click the Save Root Custom Code button.
    3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
    3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.

    #31329
    emre1905
    Participant

    Yes, I did step 2 ( I am using .54.1), but I can still access these files.

    #31330
    AITpro Admin
    Keymaster

    @ emre1905 – Post the Bonus Custom that you used and a link to your website.

    #31334
    emre1905
    Participant

    I cant post a code here, I receive an error. Can I send you and email or a private message? I dont want to mention my site in public

    #31335
    AITpro Admin
    Keymaster

    @ emre1905 – Send the email to this email address:  info at ait-pro dot com.

    #31385
    Jenn
    Participant

    Just checking – if I add and save this custom code now, can I simply delete it from the “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE” custom code box later to enable xml-rpc functionality again? Or is using this code a permanent choice?

    Thanks!

    #31386
    AITpro Admin
    Keymaster

    @ Jenn – To remove/delete Custom Code you just reverse the process of adding Custom Code:

    1. Delete your custom code.
    2. Click the Save Root Custom Code button (or wp-admin Custom Code button).
    3. Go to the Security Modes page and click the (Root or wp-admin) BulletProof Mode activate button.

Viewing 15 posts - 31 through 45 (of 47 total)
  • You must be logged in to reply to this topic.