Why are xmlrpc.php entries still in other_vhosts_access.log?

May 28, 2016 239 views
Security WordPress Ubuntu 16.04

I use ufw and fail2ban, and I've come across some behavior I don't understand, and this leads me to think that something's not configured correctly. I noticed a ton of POSTs from two IP addresses over and over again that I cannot identify. What's weird, though, is even if I add them to ufw, they still show in othervhostsaccess.log. These addresses and attempts do not show in access.log, however.

Just to be clear, I added them using "insert" so that the deny statements are above the allow statements for ports 80 and 443. I even tried resetting the rules and starting over.

1 Answer

Hi John - If you are using NGinx, you should add the following declaration in your .conf file. As the comment states, it will eliminate your ability to use the WP app. But, XMLRPC attacks are pretty common.

Thwarts XMLRPC attacks, which will also remove your ability to control your blog with the smartphone app

location /xmlrpc.php {
deny all;

As for the firewall rules, note that firewall rules are processed in order. If your IP ban rule is last, other rules take precedence.

  • Actually, I'm using Apache, and, yes, I am aware of the fact that I need to do "ufw insert" in order to put the deny statements before the more general allow ones.

    So, I guess you indirectly answered my real question, since the inference is that these should not be showing up in Apache's logfiles if the IP is blocked.

Have another answer? Share your knowledge.