=== XMLRPC === XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism and its functionality is turned on by default since WordPress 3.5. \\ XML-RPC is an API - this API gives developers and services the ability to talk to a wordpress site \\ \\ Examples where XML-RPC functionality is needed: \\ XML-RPC functionality is primarily used for three common reasons: \\ - Pingbacks/trackbacks (great for Viagra spam, DDoS attacks, and not much else) - Jetpack (an all-in-one solution to slowing down and/or bloating your WordPress site with third-party scripts) - WP mobile apps More information on XML-RPC API for wordpress can be found: https://codex.wordpress.org/XML-RPC_WordPress_API \\ \\ == What is an xmlrpc attack?== xml-rpc can use **//system.multicall//** - this can be used to execute multiple methods inside a single request. This allows applications to pass multiple commands with one http request. \\ This means that potential bots and hackers can use the system.multicall method to guess 100's or 1000's of passwords with a single http request \\ Hackers can attempt thousands of password attempts with just a 3-4 http request. These requests bypass security tools designed to block brute force attempts. These requests will have 1 entry per request in the log file. \\ **__NOTE__**: //Your systems load average may increase significantly during one of these attacks. It may be a little hard to initially diagnose the issue as apache is NOT hitting max clients. Remember to investigate the access logs and see if there are lots of POST requests to XMLRPC.php!// \\ \\ --- \\ **__NOTE__**: //WordPress, Drupal and most content management systems support XML-RPC.// \\ It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. \\ \\ Checking apache and nginx logs for xmlrpc \\ awk '/xmlrpc.php/ {REQ[$1" "$6" "$7]++}END{for (i in REQ) print REQ[i],i}' /var/log/httpd/*access*log | sort -n | tail -25 \\ Basic configuration: To prevent xmlrpc attacks add the following to a .htaccess Order Allow,Deny deny from all If you have application or plugins or you are a hosting reseller then you will want to add something similar to the code below. This code allows the wordpress IP range (current IP range, this could change) and denies potential attacks: **__Apache .htaccess:__** Order Deny,Allow Deny from all Allow from 192.0.64.0/18 Satisfy All ErrorDocument 403 http://127.0.0.1/ \\ **__Nginx__** \\ Deny all through nginx location = /xmlrpc.php { deny all; access_log off; #to prevent from filling up the access log file error_log off; #to prevent from filling up the error log file } \\ \\ Allowing Wordpress IPs location = /xmlrpc.php { allow 192.0.64.0/18; deny all; access_log off; #to prevent from filling up the access log file error_log off; #to prevent from filling up the error log file } \\ == JetPack == This wordpress plugin does come with xmlrcp.php protection from brute force. \\ **__Note__**: //This is SITE specific and will note cover system wide wordpress sites.// \\ Jet pack: https://wordpress.org/plugins/jetpack/ \\ \\ \\ === Wordfence === ##CURRENTLY INVESTIGATING ## \\ I believe it costs around $5 a month \\ This can also be used to block an attempted attack on XMLRPC \\ \\ \\ References: \\ https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html \\ https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/ \\ http://wptavern.com/its-time-for-xml-rpc-in-wordpress-to-hit-the-road \\ https://www.saotn.org/huge-increase-wordpress-xmlrpc-php-post-requests/ - READ