Plugin Author
AITpro
(@aitpro)
A Dismiss Notice should have been displayed to you with a link to the WordPress XML-RPC DDoS Protection when you upgraded BPS. To reset/recheck Dismiss Notices go to the Security Status tab page and click the Reset/Recheck Dismiss Notices button.
The code is here: http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/
Thread Starter
mrppp
(@mrppp)
OK thanks, as i don’t have a fixed ip, what would happen if using 3 octets and they were changed by my isp?
Also i assume the Block/Protect the wp-trackback.php file also goes in CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
Plugin Author
AITpro
(@aitpro)
Yep, this code would go in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE Custom Code text box. This type of .htaccess code is considered “stand-alone” .htaccess code, which means it can go anywhere in the root .htaccess file and does not need to be inside the WordPress Rewrite Loop – # WP REWRITE LOOP START ….. # WP REWRITE LOOP END to do what it does.
Here are some scenarios with options/solutions:
First off if you are not doing any sort of remote posting to your site then you do not need to whitelist any IP addresses. Jetpack and some other plugins do use the XML-RPC protocol to do things so a whitelist rule would need to be created for that plugin. We will be testing Jetpack today to find out what the best whitelist code would be.
Let’s say your ISP changes the 3rd and 4th octet of your IP address dynamically on a regular basis, but the first octet and 2nd octet are always the same.
x.x.x.x
x-first octet.x-2nd octet.x-3rd octet.x-4th octet
99.88.77.66
99.88.44.33
99.88.66.22
You would create this IP whitelist rule
Allow from 99.88.
If you have multiple IP addresses that you want to whitelist by whitelisting just the first 2 octets then you would add them like this.
Allow from 99.88.
Allow from 77.66.
Allow from 22.11.
Thread Starter
mrppp
(@mrppp)
Thanks, i use jetpack so will await your tests. I only use the mobile site part of that plugin though.
I don’t post remotely so that is fine.( i assume you mean from a mobile or similar)
Plugin Author
AITpro
(@aitpro)
Are you seeing any Security Log entries for Jetpack in your BPS Security Log? If so, post one of them here.
Thread Starter
mrppp
(@mrppp)
No can’t see anything re jetpack but i am not implementing above yet
i,m just popping out but will try above on a site and see what i get in error log for you later
Plugin Author
AITpro
(@aitpro)
Ok just checking. Jetpack testing starts at 9am today. There are a total of 4 plugins scheduled for testing at 9am. There are 4 other plugins scheduled for testing at 11am today.
Thread Starter
mrppp
(@mrppp)
ok i will keep a look for updates on tests before trying it.
Plugin Author
AITpro
(@aitpro)
XML-RPC Jetpack Whitelist Test Results:
AITpro Bot/x9.3 probeX2 bot event:
[403 GET / HEAD Request: March 26, 2014 - 9:14 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: x.x.x.x
Host Name: x-x-x-x.lightspeed.irvnca.sbcglobal.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /xmlrpc.php?url=http%3A%2F%2Faitpro.local%2Fscripts%2Fxmlrpc-test.php%3Fresponsetest%3D1%26secret%3Ddebug
QUERY_STRING:
HTTP_USER_AGENT: AITpro Bot/x9.3 probeX2
Best Whitelisting method: Whitelist the root domain of the Host Name
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
Allow from sbcglobal.net
</FilesMatch>
Scenario: XML-RPC client/server connection to jetpack.wordpress.com
Best Whitelisting method: Whitelist the root domain of the Host Name
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
Allow from wordpress.com
</FilesMatch>
Whitelisting multiple Hosts:
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
Allow from wordpress.com
Allow from sbcglobal.net
Allow from gumby.com
Allow from zippy.com
</FilesMatch>
Thread Starter
mrppp
(@mrppp)
So something like
# XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
#Allow from x.x.x. ( REMOVE THE # and use 2 octets of my IP)
</FilesMatch>
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
Allow from wordpress.com
</FilesMatch>
In this bit, how do i know what plugins domains to allow?
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
Allow from wordpress.com
</FilesMatch>
Plugin Author
AITpro
(@aitpro)
In this bit, how do i know what plugins domains to allow?
The simplest way is to use whatever device or connection that you use that connects to XML-RPC and then when that connection is blocked, go to your BPS Security Log and get the Host Name from the Security Log entry and whitelist that Host Name in your code. Allow from xyz.com
Thread Starter
mrppp
(@mrppp)
sorry i meant regards plugins, as i may not know they are blocked if that makes sense?
Plugin Author
AITpro
(@aitpro)
You will always know when something is blocked by checking the BPS Security Log. The Security Log is not just for logging blocked/forbidden hackers, spammers, scrapers, miners, bad bots, harvestors, etc etc etc etc. The Security Log is the primary troubleshooting/diagnostic tool in BPS, much like an Apache Server log is.
If BPS is blocking something it will be logged in the Security Log. That would not be known until you have a Security Log entry to look at that shows what is being blocked so that you can whitelist whatever is being blocked.
Plugin Author
AITpro
(@aitpro)
Assuming all questions have been answered – thread has been resolved.
