WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#36806 closed defect (bug) (duplicate)

XML-RPC Hack

Reported by: xathras Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.5.2
Component: General Keywords:
Focuses: Cc:

Description

Dear Wordpress,

I noticed that xml-rpc.php was under heavy load this for last few days. Wondering if there is any permanent fix for this?

The first signs of attack was a large spike in CPU resources on my AWS EC2 instance.

My OS is an Ubuntu Release with all updates & updates. See uname -a information:
root@ip-172-31-36-126:/# uname -a
Linux ip-172-31-36-126 3.13.0-79-generic #123-Ubuntu SMP Fri Feb 19 14:27:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

In order to prevent the attack further I added the following apache-rpc configuration to fail2ban:

[apache-xmlrpc]

enabled  = true
port     = http,https
filter   = apache-xmlrpc
logpath  = /opt/bitnami/apache2/logs/access_log
maxretry = 6
bantime = 3600

I then added a filter file:

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

My question is if this is known, why is there no fix? http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/

Attachments (1)

Screen Shot 2016-05-10 at 7.36.27 PM.png (337.8 KB) - added by xathras 4 years ago.
Details of CPU

Download all attachments as: .zip

Change History (4)

#2 @lukecavanagh
4 years ago

This post talks about the same issue, as well as being of use since they where an EC2 instance.

http://blog.carlesmateo.com/2014/08/30/stopping-and-investigating-a-wordpress-xmlrpc-php-attack/

Version 0, edited 4 years ago by lukecavanagh (next)

#3 @dd32
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

A DOS (Denial of Service) against xml-rpc.php is no different to one against the homepage or wp-login.php, preventing either is out of scope for WordPress, caching & security plugins often attempt to cover this well, but ultimately it's a issue that needs to be handled at the server level.

See #35532, #24193, and many other similar tickets

Note: See TracTickets for help on using tickets.