How To Stop XML-RPC attack on WordPress site

WordPress is the world’s biggest content management system. What gains popularity is the easiness of its use, free and open-source nature. Recent studies say, WORDPRESS IS POWERING 37.8% OF THE WEB, it’s a huge number when we consider the number of sites that is live today. So let’s get started on How to stop XML-RPC attack on WordPress site.
And with such incredible popularity comes one big problem – hacks. WordPress is a prime target for hackers, everyday hundred thousands of WordPress sites are getting hacked.
This blog is an effort to identify and stop a specific type of attack, XML-RPC attack in WordPress site while discussing what is XML-RPC.

Brute Force Attacks

A very common and one of the oldest form of attack is brute force attacks. Brute force attacks can be done using protocols like SSH, FTP, etc. Usually, brute force attacks are easy to stop, but they still remain popular. The popularity of the brute force attack can be attributed to the abundance of weak passwords or to the lack of good access control habits. This also means that brute force attacks though easy to stop are still successful.
When a brute force attack occurs, commonly for an attacker to try different passwords they would have to attempt different login attempts. The larger the number of passwords they want to try, larger the number of login attempts with each attempt being logged in the server as a request. This makes preventing such an attack fairly easy as each attempt will be logged and can be blocked once the requests reach a certain number or limit. The XML-RPC attack is a form of brute force attack in which the attacker uses XML-RPC specification to perform the brute force.

What is XML-RPC and Why is it used:

The XML-RPC in WordPress is used to standardize the communications between different systems. It is a specification that uses HTTP for the transport mechanism and XML as its encoding mechanism. World Wide Web used HTTP as its underlying protocol and it is used to determine the formatting of messages, how they are transmitted, responses of web browsers and web servers with regards to various commands, etc.. XML, (stands for Extensible Markup Language) is a markup language similar to HTML and is used commonly in data transfer. XML provides a set of rules for encoding which allows a platform-independent, intermediate format. Thus, XML-RPC specification allows for the transmission of a wide range of data.
XML-RPC has been a part of WordPress from its start. WordPress itself is forked from another blogging software by the name b2 or cafelog. The logic of the XML-RPC is contained in a file by the name xmlrpc.php. Initially, the XML-RPC was off by default and was activated manually if needed from the Settings. But since WordPress version 3.5 it has been turned on by default.
It is used to communicate with different systems. WordPress may require to communicate with other systems( like other blogging systems ) and this is where XML-RPC comes into play. XML-RPC also plays an important role when posting from desktop clients or mobile apps.
The XML-RPC specification allows a client to place a remote procedure call using an HTTP request sent to a server which implements XML-RPC and to receive an HTTP response. The remote procedure call sent this way can include more than one parameters.

Brute Force Amplification

The disadvantage of a brute force attack stems from its one to one relationship between the requests and the log entries. Brute force amplification allows it to have a one to many relationships. Such an attack will be able to fit perform multiple requests in one shot, like for example, a request that is able to try hundreds of passwords.
Brute force amplification is harder to mitigate than traditional brute force attacks. Where brute force attacks will have a huge number of login attempts, the attacker could reduce the number of login attempts to a very low number and still guess hundreds of passwords with each request. This is why the mitigation of brute force amplified attacks is much harder than normal brute force attacks

What is XML-RPC attack?

An XML-RPC attack is a form of brute force amplification. By using the XML-RPC functionality, in a very short time, an attacker will be able to send numerous brute-force attacks against a WordPress installation. The attacker will try to use xmlrpc.php script to try and login using different username/password combinations. Hundreds of password/username combinations can be guessed with as little as 3 or 4 HTTP requests. As the XML-RPC specification will allow the attacker to try a large number of passwords with a comparatively less number of requests, it leads to high load on the database. This high load, in turn, could cause the site to be down with errors like “Error establishing database connection”.

How to recognize a XML-RPC attack:

• The WordPress site will show “Error establishing database connection” which is caused by high load on the database due to the large number of requests.
• Resource usage of the domain will be high.
• Web Console displays “Out of memory” error.
• Web server error log displays “Cannot open the file no such file/directory” error.
• Access log in web server for the domain will populated with “POST /xmlrpc.php HTTP/1.0” error.

How to search for xml-rpc attacks on different Linux/Web server combinations?

For a CentOS machine running Apache webserver using the command:
grep xmlrpc /var/log/httpd/access.log
For an Ubuntu machine running Apache web server use the command:
grep xmlrpc /var/log/apache2/access.log
For a server running Nginx:
grep xmlrpc /var/log/nginx/access.log
For a server that is running cPanel:
grep xmlrpc /home/access-logs/domain.com
grep xmlrpc /home/access-logs/domain.com-ssl_log
In case of a XML-RPC attack on the WordPress installation the above commands will show the following:
“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
Most of the Linux servers will show a result when the above commands are run as there will be legitimate XML-RPC But one can only say if there is an attack if the time frame the logs made are too often. If there is only seconds or milliseconds difference, then usually that might be a brute force attack.

How to prevent XML-RPC attacks?

XML-RPC attacks can be prevented or blocked using the following ways:

• WordPress has lot of plugins that extend or fix the issues relating to XML-RPC. Installing these plugins will help to deal with attacks involving xmlrpc.php
• It is also possible to block the IP from which the XML-RPC attacks originate in the server firewall. The IP can be easily identified from the access logs. This however is not a efficient solution as XML-RPC attacks can still occur from other IPs.
• Blocking all requests to the xmlrpc.php script can stop XML-RPC attacks entirely. It should be noted that there are some plugins and functionalities that rely on xmlrpc.php and this may cause some issues with them.

To block the requests the following methods can be used:

• • In Apache web server, the following code can be added to the .htaccess file in the WordPress installation document root to stop the requests:

< Files xmlrpc.php >
order deny,allow
deny from all
< /Files >

• • Adding the following code to the configuration file of Apache/Nginx will also block the requests:

a) In the Apache configuration file, add:
< VirtualHost >
———-
< files xmlrpc.php >
order allow,deny
deny from all
< /files >
< /VirtualHost >
b) In the Nginx configuration file, add:
server {
———–
location /xmlrpc.php {
deny all;
}
}
That’s it, I hope this article is informative for you, thanks.

Thanks for dropping by. Ready for the next blog?
https://dev.sysally.com/blog/hyper-v-to-vmware-and-physical-to-vmware-migration/