XMLRPC attack resulting in performance drop

Dear BruteProtect

Unfortunately today my new site (still in production) was targeted by an attack (most likely the old scripted XMLRPC) which targeted the xmlrpc.php file on my WordPress install.

Fortunately the attack lasted only over an hour and no damage was caused due to a couple of preventative measures already in place on my WP install as well as having everything up-to-date. However, I did have BruteProtect which looks like it attempted to protect the site but o what degree I’m note sure.

However, what this attack did result in was in fact a DDOS as PHP started to struggle with the number of requests. In future I should have more in place to prevent this as I will have CloudFlare enabled amongst a series of other minor DDOS protection tools.

APDEX & RPM Graph
Error Graph

Here is a report from NewRelic:

Error message
E_WARNING: Cannot modify header information - headers already sent

Stack trace
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
class-IXR.php (507)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
functions.php (2577)
in _xmlrpc_wp_die_handler called at ? (?)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
functions.php (2375)
…erpilot/apps/***/public/wp-content/plugins/bruteprotect/
bruteprotect.php (394)
…erpilot/apps/***/public/wp-content/plugins/bruteprotect/
bruteprotect.php (358)
…erpilot/apps/***/public/wp-content/plugins/bruteprotect/
bruteprotect.php (141)
in BruteProtect::brute_check_preauth called at ? (?)
… called at /srv/users/***verpilot/apps/***/public/wp-includes/
plugin.php (214)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
pluggable.php (557)
…users/serverpilot/apps/***/public/wp-includes/
class-wp-xmlrpc-server.php (223)
…users/serverpilot/apps/***/public/wp-includes/
class-wp-xmlrpc-server.php (3954)
…users/serverpilot/apps/***/public/wp-includes/
class-wp-xmlrpc-server.php (519)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
class-IXR.php (467)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
class-IXR.php (417)
…lled at /srv/users/serverpilot/apps/***/public/wp-includes/
class-IXR.php (390)
…users/serverpilot/apps/***/public/wp-includes/
class-wp-xmlrpc-server.php (159)
…erve_request called at /srv/users/serverpilot/apps/***/public/
xmlrpc.php (84)

I have also provided you with a copy of my Nginx Access Log and a consolidated list of IP’s which were used in the attack. 292 Unique IPs to be exact.

Nginx Access Log
List of IP’s

This appears to be a botnet (possibly infected shared/WordPress/vps servers).

I’m not sure to what degree you guys are able to help block these IPs:

• Possibly integrating them into BruteProtect’s DB

Any further advice, plugins, server software, etc which we could use to avoid such attacks in future would be sincerely appreciated.

• For instance would you suggest adding this list to my .htaccess file as deny all?

Kind regards
Jeremy

Have a merry Christmas!

PS: A little more info regarding my server setup:

• Server: DigitalOcean 1CPU & 512RAM (1 WordPress Install)
• CP: Server Pilot
• PHP: 5.6 | Apache 2.4 | Nginx Stable | MySQL
• WordPress: WordPress 4.1
• Plugins: BruteProtect, Akismet, Disable XML-RPC Pingback
• Other: .htaccess edits

https://wordpress.org/plugins/bruteprotect/