Wordpress is one of the most popular CMS platform available today with over 75 million websites powered by it. The popularity comes with risks as vulnerabilities and weakness of such platform will be shared amongst hackers and script kiddies, and automated bots will be searching for websites built on Wordpress platform.
Distributed Denial of Service (DDoS) attacks are a serious problem for many website owners as DDos can bring down a website for days and weeks if not mitigated. Wordpress has a pingback feature which is enabled by default can be used by booters to attack other websites. Booters (Cyber Criminals offering DDoS service for money) will use thousands of Wordpress websites to initiate pingback requests to target website. The pingback request to a Wordpress website is initiated by requesting the xmlrpc.php file, and it could not only attack other target website but also potentially slow down or even crash your website if heavily misused.
A sample log of Wordpress attacks using XML-RPC and Cron
22.214.171.124 www.example.com POST /xmlrpc.php HTTP/1.0 126.96.36.199 www.example.com POST /wp-cron.php?doing_wp_cron HTTP/1.0
If you experience extreme slow down on your website, you may install mod_status Apache module and enable server-status support to view server activities and performance. The server-status report will allow you to view pages being requested at the time when you're experiencing a problem.
To enable server-status module your your IP, you'll need to edit httpd.conf configuration file with the following.
<Location "/server-status"> SetHandler server-status Require ip 188.8.131.52 </Location>
To prevent XML-RPC pingback attack, you may use one of the following two options:
1. Remove xml-rpc.php file from your root of WP folder.
2. Disable XML-RPC on all IPs except for known good IP.
<FilesMatch "xmlrpc\.php$"> order deny,allow deny from all allow from 184.108.40.206 </FilesMatch>
If you're using a DDoS mitigation service from Incapsula, CloudFlare and other DDoS mitigation providers, you may configure the WAF settings to defend DDoS attacks including Wordpress pingback attacks.
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.