By bn520995
This happens all the time. I thought Jetpack Protect was supposed to stop this?
Over and over my server is taken down by attacks against xmlrpc.php frequently where the attacker is spoofing Google Bot or some version of Windows.
[MY SERVER IP]:80 185.103.252.170 - - [27/Apr/2016:04:05:09 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.103.252.170 - - [27/Apr/2016:04:05:10 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.120 - - [27/Apr/2016:04:05:10 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.197 - - [27/Apr/2016:04:05:10 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.120 - - [27/Apr/2016:04:05:11 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.120 - - [27/Apr/2016:04:05:11 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.103.252.170 - - [27/Apr/2016:04:05:12 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.197 - - [27/Apr/2016:04:05:13 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.120 - - [27/Apr/2016:04:05:13 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” [MY SERVER IP]:80 185.130.4.197 - - [27/Apr/2016:04:05:15 -0400] “POST /xmlrpc.php HTTP/1.0” 500 592 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
Cloudflare also isn’t blocking this (unless the attacker somehow uncovered my server IP). Why does WordPress still have such a glaring vulnerability in at this stage of development and why isn’t Protect doing its job? It is so easy to crash a server this way.
I would love to just block xmlrpc.php entirely but too many plugins depend on it, including Jetpack.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
if you are using apache
Add the highlighted lines below between the <VirtualHost> tags.
<VirtualHost>
…
<^><files xmlrpc.php>
order allow,deny
deny from all
</files><^>
</VirtualHost>
if you are using nginx
server {
…
<^> location /xmlrpc.php {
deny all;<^>
}
}
dont forget to restart your webserver after adding above lines.
This comment has been deleted
Hi! We are just suffering the same kind of “attack” (I’m not sure how to name it).
As all requests were from the same subnet, we were able to block them from firewalld.
Hope it helps.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.