WordPress XMLRPC Attack – How to safeguard your website?
WordPress attacks increased by 74% from last year!
This alarming rate of website attacks mainly happen when the WordPress installation do not follow proper security practices.
And one of the common ways to hack such websites is by “WordPress XMLRPC Attack“.
At Bobcares, we help customers to protect their WordPress websites against common vulnerabilities as part of our Dedicated Support Services for Web Hosts.
Today, we’ll see more about WordPress XML-RPC attack and how we prevent them.
What is WordPress XMLRPC attack ?
WordPress offers flexibility for website developers to publish or modify website contents without actually using the admin login page.
XMLRPC is one such method that helps applications like mobile apps to authenticate before performing privileged actions on the site.
Though, this function comes really handy for remote management of WordPress, hackers misuse it often.
There are mainly two type of common attacks with XMLRPC.
1. Brute force attacks
By using XML-RPC, attackers try to access the WordPress dashboard by many login attempts. They try to hit the admin login page with endless number of username/ password combinations until they gain entry into your site.
2. DDoS attacks
In Distributed denial of service attacks, hacker tries to launch a number of ping back requests to your WordPress website. This will overload the web server and eventually the website becomes unavailable.
How to identify WordPress XMLRPC attack ?
Now, let us see how to quickly identify whether the WordPress website is under XML-RPC attack or not.
The major things that you see in such an attack include:
- Error on website “Error establishing database connection” every now and then.
- Connections to the website end in timeout error.
- High memory usage on the server.
To confirm that there exists a real XML-RPC attack, our Hosting Support Engineers checks for the exact pattern match for “xmlrpc” in the website log files.
This command varies depending on the log file location of the website. In case of a cPanel server, it would be
grep -i xmlrpc /home/username/logs/access.log
And the exact log entries for the website under attack would show up as :
40.xx.xx.70 - - [23/Aug/2018:22:18:36 +0000] "POST //xmlrpc.php HTTP/1.1" 200 401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/63.0.3239.132 Safari/537.36"
How to prevent WordPress XMLRPC attack ?
Now that we know that our website is under attack, it needs a very quick action to prevent the website from going down.
Fortunately, there are many measures to prevent WordPress XMLRPC attack. We’ll now take a look at each of them.
1. Block XMLRPC request
To avoid xmlrpc attacks, our Hosting support Engineers totally block the execution of this file. This block can be placed on the entire server or for a domain.
To block on the entire server, we need to make changes in the web server configuration file.
For example in Apache server, we add the snippet in the httpd.conf file on the server.
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all
Similarly, we can block access to xmlrpc.php using the .htaccess file of each domain.
Another, probably easier method to block XML-RPC is to install plugins like “Disable-XMLRPC“, “G2 Security” etc. These plugins add protection to your WordPress blog effectively.
3. Custom modifications
A third way to disable XML-RPC is to modify the functions.php file in the WordPress theme used in the website. To filter the XML-RPC requests to the website, we need to add
This will disable the remote access feature of the WordPress.
With WordPress offering advanced management tools like WordPress REST API, there is ideally no need to bother about the XML-RPC attacks as such.
But, WordPress is a backward compatible software and the older versions still use the XML-RPC function. That said, we cannot simply rule out the possibility of XML-RPC attack on websites. Today, we’ve done an in-depth analysis of XML-RPC attack and how our Security Engineers completely block them on the server.