Wordfence does not block XMLRPC attack

(@dybedal)

I have an ongoing attack on my site from to IP’s posting to xmlrpc.php, but I thought Wordfence should block these kind of attacks.


163.172.190.56 - - [04/Jan/2017:08:15:51 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
163.172.190.56 - - [04/Jan/2017:08:15:51 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
163.172.190.56 - - [04/Jan/2017:08:15:51 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
163.172.190.56 - - [04/Jan/2017:08:15:51 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.238.237 - - [04/Jan/2017:08:15:51 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.238.237 - - [04/Jan/2017:08:15:52 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.238.237 - - [04/Jan/2017:08:15:52 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.238.237 - - [04/Jan/2017:08:15:52 -0500] "POST /xmlrpc.php HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

I have manually blocked these IPs in htaccess now so they get a 403 reply. When I got access to my site after blocking them, and checked the “live traffic” section in Wordfence, I see hundreds of these entries, but the IPs are not being blocked or throttled:


France France visited http://178.62.247.188/xmlrpc.php
1/4/2017 1:51:38 PM (26 minutes ago)   IP: 163.172.190.56 [block]   Hostname: 56-190-172-163.rev.cloud.scaleway.com
Browser: IE version 7.0
Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)

The entries are shown as bots (grey).

The Wordfence options are set to block IPs after 20 unsuccessful attempts in 5 minutes, which is way below the rate of these attacks. They are coming in about twice per second from each IP.

Any help is appreciated!

Viewing 4 replies - 1 through 4 (of 4 total)

Stratosphere
(@stratosphere)

7 years, 3 months ago

The xmlrpc.php is a favourite hacking entry to wp files. If you don’t need it, what I did was:
enter the URL to blocked URLs in Wordfence Options. You can block access to any url there
but don’t block yourself out “IF YOU USE IT”.

ie) http://mysite.com/xmlrpc.php ( don’t forget to save your changes at the bottom)

I see the attempts on my Apache logs, but they are denied access, so I figure that security hole is blocked.

Or, you can just disable it in .htaccess

XML-RPC is for mobile app developers to talk to your wordpress site. I never had the need to use it in 8 years.
More on that here:

https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/

I figure to cut out any holes in my site so they can’t get in, sometimes it makes it inconvenient, but I’d rather be safe than sorry.

mountainguy2
(@mountainguy2)

7 years, 3 months ago

Simply deleting the xmlrpc.php file can work in concert with other methods, but you have to delete it every niggling time WordPress updates…

A better method might even be to make a dummy version with nothing in it but some text saying “greetings, nothing here”, so that there is no security risk but the file will still exist on server, then indeed set WF Options to “Imediatly Block IP that Accesses this URL.”

Amazing we have to do all this stuff. In ten years it’s going to look rather ridiculous. Like “Daddy, who’s fault was it you had to spend all your time with xmlrpc?”

MTN

Scott Dayman
(@sdayman)

7 years, 3 months ago

I put this in my .htaccess:

Redirect 403 /xmlrpc.php
ErrorDocument 403 Forbidden!
Thread Starter dybedal
(@dybedal)

7 years, 3 months ago
Thanks for your replies. My current theme forces me to use the Jetpack from wordpress.com, and Jetpack uses xmlrpc.php, so I can`t just block acces to that file.

I added the code below to my .htaccess file to block requests not claiming to be from Jetpack, and so far it works.
```
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]
```
But I still thought the IPs should be blocked by Wordfence after so many attempts, at least if it is some sort of brute force login attack. Why else would someone be accessing this file?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Wordfence does not block XMLRPC attack’ is closed to new replies.

Tags