All posts by jlebrijo

DoS attacks Against WordPress XMLRPC

WordPress is the most popular Blog system. But it has a weakness on its design: XML-RPC protocol.

Brute Force Amplification Attacks Against WordPress XMLRPC

This protocol was made to transmit pings and references between blogs, sending/accepting automatic messages between blogs.

I tried several solutions like Manage XML-RPC plugin, but obviously, when you are being attacked, you cannot access to the Dashboard to configure that plugin correctly. Here there are some other suggestions.

I will show you how I proceed to reject the attack.

First, logging the problem: `tail -f /var/log/nginx/access.log`. Then you can see the annoying IP making continuous /xmlrpc.php calls: - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;" - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;" - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;" - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;"

Second, directly deny the IP in your NGINX config (ie: /etc/nginx/conf.d/base.conf): `deny;`.

Nginx just responds with `403 HTTP Forbidden` to any request from this IP.

Bower integration with your Rails 4 app

First take a look to this post making a basic NodeJS installation on Ubuntu. You will need npm and bower installed.

If you want more details about this process take a look to this post.

Configure Bower to place libraries in our vendor directory’.bowerrc’:

 "directory": "vendor/assets/components"

Asset pipeline should know where to locate these libraries in order to process them. so write in your ‘config/application.rb’:

config.assets.paths << Rails.root.join('vendor', 'assets', 'components')

With `bower init` you would create ‘bower.json’ file which should have the following aspect:

  name: 'BowerAndRails',
  version: '0.0.1',
  authors: [
    'Syl <>'
  description: 'Tutorial about Bower and Rails',
  license: 'MIT',
  homepage: '',
  ignore: [
  "dependencies": {
    "intl-tel-input": "~6.0.6"

With the command `bower install` all dependencies will be installed at ‘vendor/assets/components’.

After that you can import the files in your assets. At ‘application.js’:

//= require intl-tel-input
//= require intl-tel-input/lib/libphonenumber/build/utils

At ‘application.sass’:

@import intl-tel-input/src/css/intlTelInput
  background-image: url('intl-tel-input/build/img/flags.png')

On `rails s` assets will be taken from bower components.

Integrating in Capistrano flow

Add `gem ‘capistrano-bower’` to your Gemfile. And call the library from your Capfile: `require ‘capistrano/bower’`.

Then you can call the action in deploy command. At `config/deploy.rb` :

namespace :deploy do
  before :compile_assets, 'bower:install'


Basic NodeJS installation for Ubuntu

NodeJS installation for Ubuntu 14.04

Some packages needed for binary builds:

sudo apt-get update
sudo apt-get install build-essential libssl-dev

First install NVM (Node Version Manager) for your OS. Mine is Ubuntu so:

curl | sh

Now install node last version (today is v0.12.0):

nvm install -s v0.12.0
nvm alias default v0.12.0

This will take a while because you are compiling sources (-s option)

Installing Bower

Bower allows you to install and manage the dependencies of a lot of JS libraries found in its marketplace:

npm install -g bower