When using WordPress, it is likely that anyone who has ever opened source code will see the file xmlrpc.php located in the root directory source. XML-RPC is a script used in WordPress since the previous version but since version 3.5 it has been turned on by default.
XML-RPC is a protocol that connects to remote WordPress web sites using XML to exchange data. Currently supported APIs of CMS such as WordPress API, Blogger API, Movable API, Pingback API, MetaWeblog API, etc.
Typically on WordPress, we will use XML-RPC when setting up the post from an external application such as Windows Live Writer, or services that connect to the website to post such as IFTTT.
But since XML-RPC is popular on WordPress, it raises the possibility of a brute force attack for passwords or worse than sending large amounts of requests to the server to cripple the server. This form of attack is called HTTP Flood Attack, which is a DDoS attack.
XMLRPC's attack frequency statistics on Sucuri. Sucuri's XMLRPC attack frequency statistics on Sucuri. Original article
The attack on the WordPress-based XML-RPC website is not new, but over the past week I've seen quite a few people hacked in this manner, according to their record on the customers using the hosting service at AZDIGI.
So now, if you do not want to connect WordPress to external services or applications, disable XML-RPC to avoid the risk of this kind of attack.
HOW TO KNOW THE WEBSITE IS TAKING OFF
The easiest way to know if your website is under attack is to open an access_log file. If you see a large amount of hits like this, then your website is under attack via XML-RPC.
xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:49 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:50 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:50 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:51 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:51 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" xxx.xxx.xxx.xxx - - [15/Sep/2016:12:54:52 +0700] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8
TROUBLESHOOTING THROUGH THE XMLRPC
To limit this type of attack, there is a simple way to block this file from executing. Note that you should not remove it because it is part of the source code WordPress, can cause errors or when the version update it will be back so the block is the best way.
Block xmlrpc.php on .htaccess
If you use the Shared Host or the Apache install server, insert the following into the .htaccess file at the root of the website.
01
02
03
04
| <files xmlrpc.php> order allow,deny deny from all</files> |
Block xmlrpc.php on NGINX
If you are using NGINX as the backend (used in conjunction with PHP-FPM), remove the following into the domain configuration file on the NGINX.
01
02
03
04
05
| location = /xmlrpc.php { deny all; access_log off; log_not_found off;} |
service nginx restart
Block xmlrpc.php with the iThemes Security plugin
If you do not have the convenience of two ways to use the features of iThemes Security is the easiest.
This plugin is almost a plugin to install when using WordPress, if you have not installed this plugin, then install immediately following this tutorial. In this plugin has integrated XML-RPC blocker and block Pingback (should disable if you do not need), you can turn on Security -> Settings -> WordPress Tweak and select Disable XML-RPC.
ithemes-security-block-xmlrpc Block XML-RPC on the iThemes Security plugin.
If you use NGINX then check this option will need to restart NGINX.
EPILOGUE
Although the WordPress source code is one of the most popular and well-known source code sources, some of the features in the source code may be misused, so keep an eye on your logs or logs. (access log) for early detection of abnormal behavior. If you are not sure whether your website is safe or not, we recommend using the Sucuri Firewall service to better protect your website.
0 comments:
Post a Comment