WordPress XMLRPC Attacks on the increase again and we have noticed that a number of sites have been getting attempted DDOS attacks. Normally when a site has an attempt its from one IP, or maybe a couple trying to use the XMLPRC function with multiple username and password combos.
Attacks are different this time
We have noticed that low volume sites have been getting hit 20 – 40 different IP’s at the same time, so this is an attempt at either bring your site to a halt while it deals with these requests, or avoid detection. You will be happy to know that we do protect you against this type of attack through our firewalls however they can miss some types of detection as making these rules too aggressive can break plugins.
Some Plugins need XMLRPC
Jetpack from WordPress is one of those plugins, i am sure there are more however this is one of the mainstream plugins that’s dependant on XMLRPC. So what can you do about it? Well quiet a bit with a little bit of code in the .htacess file your site can deny such requests.
All you need to do is add the following code to your .htacess file in the public_html folder to protect your site, if you have got addon domains this will protect them too. You can also create a .htaccess just above the public_html folder and this will also protect all sites.
Insert copy the following code and just below the # END WordPress Line and paste.
<FilesMatch "xmlrpc.php"> order deny,allow deny from all allow from 76.74.254.0/25 allow from 216.151.209.0/25 allow from 66.135.48.128/25 allow from 69.174.248.128/25 allow from 76.74.255.0/25 allow from 216.151.210.0/25 allow from 76.74.248.128/25 allow from 207.198.112.0/24 allow from 207.198.101.0/25 allow from 198.181.116.0/22 allow from 192.0.64.0/18 allow from 66.155.38.0/24 allow from 209.15.21.0/24 allow from 64.34.206.0/24 allow from 207.198.112.0/23 </FilesMatch>
Why all the IP’s in the file?
What we have done is added all the IP ranges that Automattic use, so as you can see the file will deny all IP’s except from WordPress so Jetpack will continue to work as normal.
If you have any questions please don’t hesitate to get in touch. Also if you’re not confident in carrying this out we can implement for you, just raise a ticket.
Important
Go and test your site by going to yoursite.com/xmlrpc.php and you should see a denied message. If for any reason you don’t get this message its possible that your WordPress install is dealing with the error which is bad as the attack will still be handled by your hosting and changed to a 404 not a 403.
If this is the case use the following code in the .htaccess instead.
<FilesMatch "xmlrpc.php"> order deny,allow deny from all allow from 76.74.254.0/25 allow from 216.151.209.0/25 allow from 66.135.48.128/25 allow from 69.174.248.128/25 allow from 76.74.255.0/25 allow from 216.151.210.0/25 allow from 76.74.248.128/25 allow from 207.198.112.0/24 allow from 207.198.101.0/25 allow from 198.181.116.0/22 allow from 192.0.64.0/18 allow from 66.155.38.0/24 allow from 209.15.21.0/24 allow from 64.34.206.0/24 allow from 207.198.112.0/23 ErrorDocument 403 https://www.google.com/ </FilesMatch>
As you can see we have added an error document command that sends the traffic away to Google in this case, you can send it where you want.