Moderator
James Huff
(@macmanx)
Volunteer Moderator
It’s sadly normal, “attempting to brute-force xmlrpc.php” is the new “attempting to brute-force wp-login.php.”
Ask your hosting provider to rate-limit xmlrpc.php, and if they instead recommend deleting the file, it’s time for a new hosting provider. 😉
Alternatively, http://wordpress.org/plugins/login-security-solution/ can rate-limit xmlrpc.php for you, but that’s a security measure and not an anti-DDOS measure, as you’ll be putting the same load on the plugin instead of xmlrpc.php.
My host was kind enough to implement some mod_sec rules and a cron that mitigated this issue. Your host really should be able to help you. None of the security plugins will prevent this issue.
This is still a problem even with the latest version of wordpress (3.9.2) and all plugins up to date (I do not use very many).
I mitigated the problem server side, but my xmlrpc.php was getting hit by thousands of ip .
The people behind the exploit are moderately sophisticated and can adapt to many security measures.
Getting the attack on a WP 4.0 install. Taken care of it on server side but they are still hammering xmlrpc.php.
It is not only xmlrpc.php – also continuous hammering on login page, despite Brute Protect and server side Mod Sec rules.
Curious to know what server side action you have taken
Here is an interesting thread (quite long at 21 pages)
http://www.webhostingtalk.com/showthread.php?t=1255387&highlight=wordpress+brute+force
@iamhere,
What the actions your provider done to mitigate the attacks? I have a dedicated server and I’d like to understand what I can do.
Thanks!
Saúde!
m.
Here is an extra available for anyone from AITpro at BulletProof Security (plugin):
# XML-RPC DDoS PROTECTION
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# Also block Pingbacks and Trackbacks
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
If you use Jetpack then you will need to whitelist the Jetpack CIDR IP Address blocks to allow Jetpack to communicate successfully and not be blocked.
# XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>
