WordPress is the most popular Content Management System (CMA) from blogging. This popularity makes WordPress a perfect target for hackers. The most common attack faced by a WordPress site is XML-RPC attack.
Recognizing an XML-RPC Attack
1) Randomly “Error establishing database connection” error is displaying on the WordPress site.
2) “Out of memory” or/and (Full usuage of CPU) error in the web console or cPanel.
3) “Cannot open the file no such file/directory” error in web server error log.
4) “POST /xmlrpc.php HTTP/1.0” error in webserver access log.
What Is Xmlrpc.php?
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.
For example, let’s say you wanted to post to your site from your mobile device since your computer was nowhere nearby. You could use the remote access feature enabled by xmlrpc.php to do just that.
The core features that xmlrpc.php enabled were allowing you to connect to your site via smartphone, implementing trackbacks and pingbacks from other sites, and some functions associated with the Jetpack plugin.
Command to search XML-RPC attack in different Linux distribution
For apache on centos:
# grep xmlrpc /var/logs/httpd/access.log
For apache on Ubuntu:
# grep xmlrpc /var/logs/apache2/access.log
For cPanel server
# grep xmlrpc /home/username/logs/access.log
For nginx server:
# grep xmlrpc /var/logs/nginx/access.log
If the WordPress site is facing attack, then the output of the above command will be similar to
“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
Blocking XML-RPC attack
We can block XML-RPC attack in different ways.
1) Manually block the xmlrpc in the .htaccess file
Here you can deny the access of xmlrpc file from all users. Simply paste the following code in the .htaccess file in the website document root.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
# END protect xmlrpc.php
2)Manually block xmlrpc in webserver document root.
For Apache paste the code in the configuration file.
<VirtualHost>
…
<files xmlrpc.php>
order allow,deny
deny from all
</files>
</VirtualHost>
For Nginx paste the below code in the configuration file.
server {
…
location /xmlrpc.php {
deny all;
}
}
After editing the configuration files you need to restart the webserver in order to enable the changes.
3) Installing Jetpack Plugin.
Jetpack plugin for WordPress will block the XML-RPC requests. After enabling the jetpack plugin, you will still see the XML-RPC entries in the web server access log. The plugin reduces the load on the database from these malicious logs.