There are many instances of XMLRPC Attacks these days. This WordPress Security issue arises when a server has not been protected or optimized. This could lead to experience issue or errors after receiving a small amount of malicious traffic.
Usually, these type of attacks results in the exhaustion of system resources. While monitoring my system, I noticed a huge amount of increase in xmlrpc.php use.
Each of those requests took approximately 200 MB of ram and resulted in website down and eventually my websites were down for some 3 hours or so.
I came to know that it was Denial of Service (DDoS) attack while checking NGINX logs by using the following command:
sudo tail –f /var/log/nginx/error.log
I did R&D and found that many hackers now using xmlrpc.php instead of wp-login.php to execute XMLRPC attacks (brute force attacks). But the most unfortunate thing is that you can’t prevent the use of xmlrpc.php – since WordPress 3.5.
Hour research helped me to get rid of this Denial of Service (DDoS) attack and my website was up and running within 2 minutes of execution. So I decided to post the solution to this brute force attack to help people who are facing the same problem.
6 WordPress Security Tips: Prevent WordPress XMLRPC Attacks
1. Deleting xmlrpc.php file
This is really not recommended as XMLRPC on WordPress is actually an API or “application program interface”. It gives developers (who make mobile apps, desktop apps and other services) ability to-
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
After the WordPress (auto) update, the deleted file will be replaced so it’s not the smart way to get rid of the issue.
2. Plugins
It is one of the easiest methods. There are several plugins available that will make your task easier. Just installing and activating the plugin will do for you. I found these two to be the most used: Disable XMLRPC, XMLRPC Pinkback and Manage XML-RPC. Both plugins are really basic and include only a couple lines of code but it helps you to protect your blog against those attacks.
3. Adding filter to functions.php file
This is just an alternate way of a plugin. For those who do not like too many plugins in their WordPress admin panel, can add a filter to the activated theme. All you need to do is to edit your theme’s functions.php and add these couple of lines:
function remove_x_pingback($headers) {
unset($headers['X-Pingback']);
return $headers;
}
add_filter('wp_headers', 'remove_x_pingback');
add_filter('xmlrpc_enabled', '__return_false');
4. Block access at .htaccess
You just need to edit the .htaccess file and add the following block of codes. This will block access to the xmlrpc.php file entirely. When a hacker attacks your website, the xmlrpc.php will get the 403 Forbidden error.
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
5. Blocking access in NGINX
If you are using LEMP (Linux, NGINX, MySQL, PHP) or simply NGINX web server instead of Apache web server you should add this code to your NGINX Server Block:
server {
location = /xmlrpc.php {
deny all;
}
}
6. Block on the entire server
If you have a single server or VPS with a large number of WordPress installations, the best way to get rid of this issue is to block access to the xmlrpc.php file on Apache level, simply by adding these few lines of code to the httpd.conf file:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all </FilesMatch>
You can make your code even better by adding these lines of code as it also blocks wp-trackback.php and also prevents trackback hacking attempts.
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all </FilesMatch>
This will surely get rid of that Denial of Service (DDoS) attack.
More resources on WordPress
- Speed Up WordPress Website: 10 Awesome Techniques
- Best WordPress Permalink Structure Guide for better SEO
- How to Create a Table of Contents in WordPress
- How to Embed SVG in WordPress – 3 Easy Methods
- How to Hide or Remove the WordPress Admin Toolbar
- How to Install WordPress on Ubuntu 18.04 LTE – LEMP Stack
- Error Establishing a Database Connection in WordPress Fix
Hope you will find all these WordPress Security tips useful to prevent WordPress XMLRPC Attacks.
If you have some other ways to improve WordPress Security and prevent WordPress XMLRPC attack, share with us or put them in the comment section below.
If you like this post share it with your friends on social media and help people stay secure against such attacks.
I had the same issue with my WordPress website. I removed the XML-RPC file. Since you don’t recommend the mothod, I blocked the access using server blocks in NGINX. Thanks for this amazing info.
Aweosme Work!