xmlrpc.php causing high load in server – How to recover and prevent this issue in cPanel, Plesk and DirectAdmin Apache servers
In cPanel, Plesk and DirectAdmin servers that have WordPress websites, high server load is sometimes reported with “xmlrpc.php” showing up as the top CPU hog. xmlrpc.php is a file in WordPress websites used for remote publishing and ping-back tracking. Botnets target this file to initiate brute force attacks to gain control of the targeted website. This causes high load in the server.
Bobcares helps web hosts, VPS providers and cloud providers block such attacks, and maintain high service uptime. Server load mitigation, and attack mitigation is a critical part of our web server management services. Here we’ll go through the steps we take to recover from an xmlrpc.php attack, and how to prevent it.
How to recover from high load
When the server is under high load, your first priority is to restore normalcy. For this, you’ll need to prevent access to xmlrpc.php at the Apache connection level. You can do this by adding the below directive to Apache configuration file, and restarting the server.
Files ~ "xmlrpc.php" Order allow,deny Deny from all Files
How to prevent xmlrpc.php abuse
Disabling access to xmlrpc.php is only a temporary solution as many websites would need it to track blog ping-backs or do remote publishing. So, the solution is to block the attacks based on a common attack signature. Here’s a sample of xmlrpc.php attack log:
22.214.171.124 - - [21/Jan/2015:15:37:54 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 126.96.36.199 - - [21/Jan/2015:15:37:55 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 188.8.131.52 - - [21/Jan/2015:15:37:57 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 184.108.40.206 - - [21/Jan/2015:15:38:02 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 220.127.116.11 - - [21/Jan/2015:15:38:11 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861 18.104.22.168 - - [21/Jan/2015:15:38:13 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861 22.214.171.124 - - [21/Jan/2015:15:38:18 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861
A valid request will have a referrer field, while the attacks wont usually have a referrer field. So, a firewall rule can be used to block such requests. Mod_security can come in very handy for this. Add the following to the mod_security rule set.
#Block requests to xmlrpc.php with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"
For dedicated servers with a limited set of WordPress sites, it might be easier and more flexible to install a plugin like “xmlrpc attacks blocker“.