Prevent XML-RPC attacks on WordPress websites

This blog runs on WordPress, which I host on a VPS with DigitalOcean.

I didn’t use SharedHosting services like Bluehost because I’m a geek and I like spinning up my own servers manually and maintaining control over how things are set up.

I started running this blog on a $5 per month DigitalOcean droplet which had 512MB of RAM single core CPU running on 20GB SSD. I was running the standard LAMP stack on it to run WordPress. It was cheap, it worked, and my website seemed to load fast enough.

Recently, I began having some problems with my blog constantly going down, giving me the “Error establishing connection to the database” error every time I accessed my website. Most of the time, I could resolve this by ssh’ing into my server and then restarting apache or mysql. The past two days, the downtime had been getting worse and I started getting the bash: fork: Cannot allocate memory error when I would issue commands in the shell.

I was like, “Okay… maybe $5 per month isn’t enough to run the LAMP stack”, I guess I can upgrade to the $10 per month plan which should give me 1GB ram. This is enough to run Ruby on Rails applications, which should be more than enough for a small WordPress site. After the upgrade, my blog ran fine for one day and then started crashing again.

Since I thought there’s no way my current server isn’t enough to run a small WordPress site, I began to investigate why my server was constantly running out of memory causing my site to go down. It turns out that there’s something called XML-RPC attacks that can be common on WordPress sites. XML-RPC is basically a protocol to execute functions remotely. WordPress apparently uses this protocol to execute functions but this can also be exploited to launch brute force attacks against WordPress sites.

There’s a great guide on how to prevent XML-RPC attacks here

https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04

Below is the TLDR step by step version of the article that will apply to most people (method 2 of that article won’t work unless you specifically used DigitalOcean’s one click WordPress install method, which I didn’t).

Check if you are experiencing attacks

This is simple to do. SSH into your console and run the one of the two following commands, depending on which web server you’re running

apache2

grep xmlrpc /var/log/apache2/access.log

nginx

grep xmlrpc /var/log/nginx/access.log

If your’e experiencing attacks, you’ll see a bunch of logs that goes something like

POST /xmlrpc.php HTTP/1.0" 200 674 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

If you do see that in your logs, continue onto the next two steps.

Install JetPack and turn on the protect feature

The JetPack WordPress plugin can protect against brute force attacks. Unfortunately, this won’t prevent all attacks. I can’t remember the technical reason for it, but I had this feature turned on before I started having problems and my blog was still taken down constantly. Regardless, it doesn’t hurt to install this plugin and turning on the “protect” feature. Now, onto the sledgehammer method to protect against XML-RPC attacks.

Manually blocking XML-RPC Attack

This is the sledgehammer method, and the one that worked for me.

For apache, open up the configuration file with sudo

sudo vim /etc/apache2/sites-available/000-default.conf

and add the following lines inside the VirtualHost tags.

Save and close and restart your server with

sudo service apache2 restart

For nginx, open up

sudo vim /etc/nginx/sites-available/example.com

and add the following lines in the file

Restart your server with

sudo service nginx restart

and you should be good to go!

Thoughts

I try to think of every problem I experience as a learning experience, but these were a few hours I could have spent on client projects. If I was a WordPress developer, I would consider this as a learning experience, but I’m not and probably never will be. I’m thinking about perhaps migrating this blog to be hosted on WPEngine or to something like Ghost or SquareSpace, so that I can just focus on writing content.

About the Author Chris Jeon

Software developer currently focusing on Android development.