WordPress – block xml-rpc
Posted by danielSep 18
How to disable or block XML-RPC in wordpress served by apache server.
Per the official documentation –
XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface
Unfortunately XML-RPC has drawbacks too, to mention some –
- DDoS via XML-RPC pingbacks
- Brute force attacks via XML-RPC
While looking at the access logs of my web servers, there were so many xmlrpc.php calls that looked suspicious.
121.42.52.27 - - [18/Sep/2019:22:53:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200 3831 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 808526 121.42.52.27 - - [18/Sep/2019:22:53:34 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 868119 121.42.52.27 - - [18/Sep/2019:22:53:35 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 866812 121.42.52.27 - - [18/Sep/2019:22:53:37 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 708040 121.42.52.27 - - [18/Sep/2019:22:53:46 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 715609 121.42.52.27 - - [18/Sep/2019:22:53:48 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 768145 121.42.52.27 - - [18/Sep/2019:22:53:49 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 862514 121.42.52.27 - - [18/Sep/2019:22:53:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 847106 121.42.52.27 - - [18/Sep/2019:22:53:58 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 891537 121.42.52.27 - - [18/Sep/2019:22:54:02 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 983415 121.42.52.27 - - [18/Sep/2019:22:54:04 -0400] "POST /xmlrpc.php HTTP/1.1" 200 816 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 879661
Searching the abuse IP database –
https://www.abuseipdb.com/check/121.42.52.27 – the remote client hitting my server has been reported several times. Time to block this IP. After some googling, I came across a way to block it with .htaccess. We can either completely block the xmlrpc.php for all external IPs or for a specific blacklisted IPs.
In my .htaccess file, I added below line to block all IPs –
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
We can also block a specific IP address which is showing suspicious activity from our access logs –
<Files xmlrpc.php>
Order Deny,Allow
Allow from all
Deny from 121.42.52.27
</Files>
Post reloading apache, we can see that the remote client is getting 403s –
121.42.52.27 - - [18/Sep/2019:22:55:02 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1310
121.42.52.27 - - [18/Sep/2019:22:55:03 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1645
121.42.52.27 - - [18/Sep/2019:22:55:05 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1352
121.42.52.27 - - [18/Sep/2019:22:55:05 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1208
121.42.52.27 - - [18/Sep/2019:22:55:06 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1177
121.42.52.27 - - [18/Sep/2019:22:55:06 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1633
121.42.52.27 - - [18/Sep/2019:22:55:06 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1568
121.42.52.27 - - [18/Sep/2019:22:55:06 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1398
121.42.52.27 - - [18/Sep/2019:22:55:07 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1262
121.42.52.27 - - [18/Sep/2019:22:55:07 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1917
121.42.52.27 - - [18/Sep/2019:22:55:08 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 2074
121.42.52.27 - - [18/Sep/2019:22:55:08 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 1286
121.42.52.27 - - [18/Sep/2019:22:55:08 -0400] "POST /xmlrpc.php HTTP/1.1" 403 634 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" 847
References –
No comments
You must be logged in to post a comment.