IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • How do I know if my site is using the xmlrpc.php file?

    • IT Nursery
    • May 7, 2022
    • 0

    I have taken over a website where I work that was developed by a previous employee, it seems that recently this site has been the victim of a string of DDoS attacks through the use of the xmlrpc pingback proven by log entries like this:

    154.16.63.40 - - [22/May/2016:06:52:49 +0100] "POST /xmlrpc.php HTTP/1.1" 200 596 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
     (Obviously this isn’t a google bot because there is no reason for google to post to this file.)

    I believe there are many solutions to this (This tutorial) but I tend to lean towards just outright blocking access to the file. However I am unsure as to whether this site is actually using the service xmlrpc allows you to use. Is there any particular way I can check if the previous developer has put anything in place to use wordpress xmlrpc functionality? Could I check for functions in specific files/is there anything that screams out to identify the use?

    any help with this would be great!

    EDIT: Would something like this be helpful?

    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # IP address Whitelist
    Allow from xxx.xxx.xxx.xxx
    Deny from all
</FilesMatch>

    If I allow from the ip address of the server would this work for plugins etc or do they all have their own IP address that would need to be added?

    2 Answers
    2

    This looks like a spam bot or an enumeration rather than a DDoS attack. To be sure, you should look into your resource consumption, the dynamic of IP addresses and maybe the payloads.

    1. Blocking access to xmlrpc.php file.:

    I think you shouldn’t:

    1. It cannot help you survive a real DDoS attack.
    2. As @cybmeta said, it might break many third party services.
    3. Allow access from certain IPs also doesn’t help because IP can be faked and you cannot list all IPs which will use XML-RPC service.

    I often log all IPs which make requests to xmlrpc.php, use iptables to setup rate limit. Then, block IPs which are surely evil.

    2. How to know if your site is using xmlrpc.php

    1. Functions and resources in WordPress which use XML-RPC service have xmlrpc string in functions’ name or files’ name so you can skim through your theme and plugins to check if there’re any matches.
    2. All XML-RPC requests in WordPress go through xmlrpc.php which define('XMLRPC_REQUEST', true) so you can use:
    if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
    // Log something.
    // Or exit immediately if something is evil in the request.
}

    Note that you cannot use the code in theme/plugin files. xmlrpc.php is independent from themes and plugins so you must put it in your wp-config.php file.

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *