WordPress XMLRPC Attacks

XML-RPC is a remote procedure call protocol that helps to communicate WordPress with other systems which encode its calls with HTTP as a transport mechanism and encoding mechanism as XML.

XMLRPC is used in WordPress to transmit XML data through HTTP to different systems.

From what I know XMLRPC is being replaced with the WP API. However, WordPress continues to support mostly due to compatibility if not wrong.

The XMLRPC file can be used to boost attacks such as brute force etc,

You will find one single request in access logs in this attack. But, that single request may contain many Bruteforce requests. This is executed through the use of the XMLRPC system. Multicall method to execute the multiple methods inside a single request. This is one reason why the XMLRPC is quite commonly being abused for the attack.

Sometimes, you will find entry process overloaded or resources limit reach often you may check

the XML RPC attack as well it is quite common to overload the hosting account in cPanel if the scale is large.

You can try to identify the attack to see if it exists and mitigate it shall the resource still took up

again. If yes, it may be due to other reasons.

You can try to identify the attack to see if it exists and mitigate it shall the resource still took up

again. If yes, it may be due to other reasons.

You can use the below grep log to find the POST to identify the attack it will output a list of IP

grep -s $(date +”%d/%b/%Y:”) /etc/apache2/logs/domlogs/* | grep xmlrpc | awk {‘print $1,$6,$7’} | sort | uniq -c | sort -n

Or

grep -s $(date +”%d/%b/%Y:”) /home/randy/access_logs/* | grep xmlrpc | awk {‘print $1,$6,$7’} | sort | uniq -c | sort -n

You can also sort accordingly to your query

1 /etc/apache2/logs/domlogs/XXXXX:**.**.2**.1*6 “POST /xmlrpc.php

19 /etc/apache2/logs/domlogs/XXXXXXX:4*.***.1**.1** “POST /xmlrpc.php

39 /etc/apache2/logs/domlogs/XXXXXX:1**5.6*.2**.134 “POST /xmlrpc.php

156 /etc/apache2/logs/domlogs/XXXXXX:4*.***.9*.1** “POST /xmlrpc.php

Prevention method.

Few methods can be utilized manually after identifying the attacks such as

Adding the following line to your .htaccess file if you are using the apache web server:

<Files xmlrpc.php>

order deny,allow

deny from all

</Files>

If you want to allow certain IPs to utilize Jetpack plugins IP address:

< Files xmlrpc.php>

order deny,allow

allow from 8.8.8.8

deny from all

</Files>

For Nginx:

server {

location /xmlrpc.php {

}

deny all;

}

  • Plesk Control Panel with WP ToolKit also has the option to disable XMLRPC Pingback
  1. Within the WordPress Toolkit, click Check Security:
  2. Enable the “Turn off pingbacks” option and click on Secure::
  3. Your WordPress site will now block pingback requests.

You can also download plugins such as Disable XML-RPC plugin but this will just take up another resource. WP Hide Login. Loginizer etc Other than that Mod_Security or Sucuri may do a good job in blocking the exploitable function “ system.multicall requests” Once you have mitigated the XML-RPC attack you entry process or CPU usage may drastically reduced

Please note that some plugin may not work if it heavily relies on XML-RPC

Leave a Reply