Since WordPress is widely used across the world, it also makes it a good target for every type of hacker. One common attack on WordPress is the XML-RPC attack. This tutorial was made to help you learn about XML-RPC and how you can block your site from being attacked by it.
What is XML-RPC attack?
XML-RPC is a remote process call which uses XML for encoding and HTTP for transport. WordPress is using XML-RPC for information exchange between clinets on the network.
With this functionality, the attacker is able to send many brute-force attacks against your WordPress site in a very short period of time.
The attacker is going to attempt logging in with the xmlrpc.php script with random username/password combinations a lot of times per minute. Ending up in affecting the brute-force attack on your WordPress site.
A different problem is that xmlrpc.php also grants the attacker the ability to assume thousands of password combinations with only a couple of HTTP requests. Which can lead to a very high database load.
This might bring your site down, then display the ‘Error establishing database connection” error.
How to block XML-RPC attack?
You have a couple of ways to block XML-RPC attacks.
Install one of many WordPress plugins that deal with XML-RPC
You could look for a plugin which blocks XML-RPC, such as the ones on this page.
Block all xmlrpc.php requests in WordPress
If you are using an Apache web server, you could do it by inserting the following code in the .htaccess file in your WordPress website’s document root:
< Files xmlrpc.php > order deny,allow deny from all < /Files >
Block xmlrpc.php in the Apache/Nginx configuration file
In case you are using Apache, you can do it by putting in the following code inside your Apache configuration file:
< VirtualHost > ---------- < files xmlrpc.php > order allow,deny deny from all < /files > < /VirtualHost >
If you are using Nginx, block xmlrpc.php by putting in the following code inside your Nginx configuration file:
server { ----------- location /xmlrpc.php { deny all; } }
How to search for and find XML-RPC attacks in different Linux distributions?
On CentOS with Apache:
# grep xmlrpc /var/logs/httpd/access.log
On Ubuntu with Apache:
# grep xmlrpc /var/logs/apache2/access.log
For a server with Nginx:
# grep xmlrpc /var/logs/nginx/access.log
For a server with cPanel:
# grep xmlrpc /home/username/logs/access.log
In case your WordPress site is under attack, the result of the previous commands is going to be similar to the one below:
“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”