DigitalOcean

Report this

What is the reason for this report?
Question

Getting Wordpress XMLRPC attack

Posted on September 30, 2014
Ibrahim Mumcu

By Ibrahim Mumcu

I know, it’s not about DigitalOcean, but it might someone know the solution. I’m getting xmlrpc attack on Wordpress and it causes 100% CPU usage.

Anyone know the solution? I’ll be gratefull.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
peterd
peterd
September 14, 2016

I have a few web sites that have been subject to this attack since last night. I’ve blocked the IPs via iptables but the logs show the requests keep coming. Should these IPs be reported to DO Support? I would be surprised if my servers are the only ones affected and am surprised this traffic has not been seen and/or blocked by DO.

0
sqiinc
sqiinc
September 30, 2015

I posted this on a similar question about xmlrpc.php and I found this page when searching for a solution to our problem. Hopefully this will help anyone else in the same boat:

Our solution uses fail2ban like the others, but with actions setup to use ufw commands since we love the simplicity of that firewall. Note that our log file is different from the default and includes the IP address the request was sent to first (other_vhosts_access.log), so remove the first “\S*” and space from regex for the normal access log. For some reason, this was the default when we set up the Wordpress droplet. YMMV.

# cat /etc/fail2ban/action.d/ufw.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip>
actionunban = ufw delete deny from <ip>

# cat /etc/fail2ban/filter.d/xmlrpc.conf 
[Definition]
failregex = ^\S* <HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

# cat /etc/fail2ban/filter.d/wp-login.conf 
[Definition]
failregex = ^\S* <HOST> .*POST .*wp-login\.php.*
ignoreregex =

# cat /etc/fail2ban/jail.d/xmlrpc.conf 
[xmlrpc]
enabled = true
filter = xmlrpc
action = ufw
logpath = /var/log/apache2/other_vhosts_access.log
bantime = 43200
maxretry = 2

# cat /etc/fail2ban/jail.d/wp-login.conf 
[wp-login]
enabled = true
filter = xmlrpc
action = ufw
logpath = /var/log/apache2/other_vhosts_access.log
bantime = 600
maxretry = 6
findtime = 60

No changes were required to Wordpress or any plugins to install. This does mean that fail2ban can’t actually tell if there was a failure, it just looks at how often those URLs were accessed.

HTH

Sources:

0
bn520995
bn520995
April 29, 2016

Try this.

iptables -I INPUT -p tcp -s IP_ADDRESS -j REJECT

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.