Tag Archives: Wordpress

DoS attacks Against WordPress XMLRPC

WordPress is the most popular Blog system. But it has a weakness on its design: XML-RPC protocol.

Brute Force Amplification Attacks Against WordPress XMLRPC

This protocol was made to transmit pings and references between blogs, sending/accepting automatic messages between blogs.

I tried several solutions like Manage XML-RPC plugin, but obviously, when you are being attacked, you cannot access to the Dashboard to configure that plugin correctly. Here there are some other suggestions.

I will show you how I proceed to reject the attack.

First, logging the problem: `tail -f /var/log/nginx/access.log`. Then you can see the annoying IP making continuous /xmlrpc.php calls:

163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

Second, directly deny the IP in your NGINX config (ie: /etc/nginx/conf.d/base.conf): `deny 163.172.141.185;`.

Nginx just responds with `403 HTTP Forbidden` to any request from this IP.