WordPress post xmlrpc.php attack Prevention

WordPress post xmlrpc.php attack Prevention

Date Posted: 17-07-2017

This post explains on how to prevent xmlrpc.php attack on wordpress website. If we seen below error or continuous POST request to xmlrpc.php on access log will be best way to identify attack.

2017/07/17 06:25:46 [error] 14858#14858: *411668 connect() to unix:/run/php/php7.0-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: xx.xx.xx.xx, server: _, request: “POST /xmlrpc.php HTTP/1.0”, upstream: “fastcgi://unix:/run/php/php7.0-fpm.sock:”, host: “yy.yy.yy.yy”

Resolution:

Open nginx configuration file and append the following line. Normally, the default configuration will be /etc/nginx/sites-enabled/default. Incase, if domain has different configuration then we need to modify the corresponding configuration.

vi /etc/nginx/sites-enabled/default

Add the below lines inside server { section

location = /xmlrpc.php { deny all; } # protect against brute force attack

Verify the syntax error of the nginx configuration.

nginx -t

Restart the nginx configuration

service nginx restart

Verification:

Review the log file(default it will be /var/log/nginx/access_log) and we can see the below lines.

2017/07/17 08:19:19 [error] 2162#2162: *420744 access forbidden by rule, client: xx.xx.xx.xx 7, server: _, request: “POST /xmlrpc.php HTTP/1.0”, host: “yy.yy.yy.yy.yy”

From the log, we can confirm that POST request is blocked on xmlrpc.php