Results 1 to 12 of 12
  1. #1
    Join Date
    Mar 2006
    Location
    Indianapolis
    Posts
    86

    Exclamation High Load on Shared Server Due to Multiple XMLRPC "Attacks"?

    I've spent a long time researching this issue, and it's got me stumped.

    Basically, I have a shared server with multiple accounts - many of whom run a Wordpress website. For the most part, they are all very good about keeping the software updated. The rest of them either get updated via Softaculous or manually. Definitely not a hugely neglected Wordpress issue by any means here.

    The problem is... The server load gets sky high throughout the day and brings the server to a crawl. Upon inspection, it seems to be the same issue each time. Multiple strings in SSH displaying some kind of XMLRPC access via Apache. Again, all of these are Wordpress sites - so it's definitely related to that file within Wordpress.

    Deleting the actual XMLRPC file in each Wordpress directory doesn't help a whole lot because it just comes back when we update the software and it re-installs the base files.

    Is there some kind of remedy out there for this? See my screenshot below. This is just a very slow time, but constant throughout the day. At peak times, there are hundreds of these lines on various accounts.

    Click image for larger version. 

Name:	xmlrpc-bad.jpg 
Views:	82 
Size:	87.9 KB 
ID:	32808

  2. #2
    Join Date
    Aug 2010
    Location
    United States of America
    Posts
    519
    There're .htaccess rules you can put into place to secure this. It's a fairly common inconvenience.
    - https://wordpress.org/support/topic/delete-xmlrpcphp

    Check that out, let your customers know that they should add those rules in their .htaccess to "Secure" the website. These won't be overwritten by a Wordpress update unless you're running a special .htaccess plugin.
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  3. #3
    Join Date
    Jan 2013
    Location
    Italy
    Posts
    87
    This plugin could help you for this issue: https://it.wordpress.org/plugins/better-wp-security/
    IT developing and content marketing - trovalost.it

  4. #4
    Join Date
    Mar 2006
    Location
    Indianapolis
    Posts
    86
    Yeah, I have thought about these two approaches before... the challenge I have is that I lack Wordpress credentials to my client sites and the HTACCESS stuff always seems to screw with the client website SEO and redirections, etc. Not to mention, many people in the Wordpress areas all claim it doesn't work to stop this type of attack. I will revisit both of these again though.

    Thanks for the ideas.

  5. #5
    Join Date
    Mar 2010
    Location
    CMYK-Land
    Posts
    1,400
    I had similar situation where some of WP of my clients start to get thousands hits per day just on xmlrpc.php. First i try to use some plugins but didnt help because all of them rely on WP and that means using server resources (less but not so much).
    If you can use fail2ban then i would suggest to get f2b plugin to ban all IP with more than X failed attempts and htaccess to block xmlrpc.php. Only plugin what would have problem with that is JetPack (not sure if there is more) because needs xmlrpc.php, but i didnt use it so it was easy solution for me. In case you cant use f2b then you could go with htaccess and htpasswd to prevent direct access to wp-login.php file. It could be little annoying to have double login for each WP but better than hundreds/thousands hits on wp-login.php.

    If you dont manage WP sites of your clients then Cloudlinux is your best option and leave to them how to sort everything.
    - I often come to the conclusion that my brain has too many tabs open. -
    Failing at desktop publishing & graphic design since 1994
    .
    Pretty soon we can expect hosting companies offering "double unlimited"
    or
    "not limited unlimited with no limits".

  6. #6
    Join Date
    Nov 2014
    Posts
    391
    You can also have mod security rules on the server for these attacks, you can find the rules here:

    https://gist.github.com/arg0sy/20a85ce5187d9dfc159b
    www.24x7serversolutions.com - Provides 24x7 Server Management & Services
    Server Security | Custom Bash Scripts | Proactive server monitoring | Hack Investigation | Migration Experts
    Contact : sales@24x7serversolutions.com Skype : serversolutions24x7

  7. #7
    Join Date
    Oct 2007
    Location
    9.9N 76.2E , Planet Earth
    Posts
    1,003
    Check the access log(domlogs) for the domains under attack. Probably you can easily block a couple of IP's to block them out.

    Also you can get an nginx proxy server and setup rate limiting from IP's to remedy the load-going-up situation.
    A U T O M 8 N . C O M
    High Available webstack for cPanel
    Active-Active redundancy and High Availability plugin for cPanel

  8. #8
    Join Date
    Jan 2013
    Posts
    400
    ban their ip or do prune user,then update your security
    Enjoy life today, because yesterday is gone, and tomorrow is never promised.

  9. #9
    You can put this code in your /home/usernamehere/public_html/.htaccess file

    <Files "xmlrpc.php">
    Order Allow,Deny
    deny from all
    </Files
    Now request to xmlrpc.php will be denied and If you want to whitelist some IPs then you can add IP like "allow from 1.2.3.4" (without quota)

    Note: If you use this code then plugins like Jetpack will be not able to connect to your wordpress but If you allow their server IP then you will be able to access Jetpack.

    (All plugins which use remote login will be not work until you add their server/API IP to allowed list)


    Mod_Security
    Adding a rule of modsecurity will not help you. Only IPs will be blacklisted but If you receive to many request then server load will be increase and server will be crashed.
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  10. #10
    Join Date
    Mar 2006
    Location
    Indianapolis
    Posts
    86
    Quote Originally Posted by serversolutions24x7 View Post
    You can also have mod security rules on the server for these attacks, you can find the rules here:

    https://gist.github.com/arg0sy/20a85ce5187d9dfc159b
    I did end up trying several variants of this with mod security, but then this happened today....
    Click image for larger version. 

Name:	xmlrpc-really-bad.gif 
Views:	19 
Size:	54.5 KB 
ID:	32829

  11. #11
    Join Date
    Nov 2014
    Posts
    391
    Yes, agree that mod security is not a complete solution but is your firewall blocking the triggered IPs by mod security?

    Basically this attack is not on the server but its hitting outdated WP so in such cases you can block the xmlrpc attack on specific domain by using .htaccess deny method and also figure our exactly which domains are being attacked and contact clients accordingly.
    www.24x7serversolutions.com - Provides 24x7 Server Management & Services
    Server Security | Custom Bash Scripts | Proactive server monitoring | Hack Investigation | Migration Experts
    Contact : sales@24x7serversolutions.com Skype : serversolutions24x7

  12. #12
    Try this in /home/.htaccess

    ## Begin Malicious Request Mitigation
    RewriteEngine On
    ErrorDocument 416 "Invalid Request"
    RewriteCond %{THE_REQUEST} "^POST /xmlrpc.php"
    RewriteCond %{HTTP_USER_AGENT} !^Jetpack\ by\ WordPress\.com [NC]
    RewriteRule .* - [R=416,L]
    ## End Malicious Request Mitigation

Similar Threads

  1. May switch cause high load on powerful server?
    By Driimer in forum Hosting Security and Technology
    Replies: 7
    Last Post: 07-28-2009, 08:12 PM
  2. trace reason for spike load on shared server
    By Chinese Democracy in forum Hosting Security and Technology
    Replies: 3
    Last Post: 06-20-2009, 02:13 PM
  3. interesting high load on apache server
    By mavidusler in forum Hosting Security and Technology
    Replies: 5
    Last Post: 04-07-2005, 10:00 PM
  4. Exim kills server due to multiple recipients in one email...
    By thomas.smith in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-02-2005, 06:39 AM
  5. High load on my server. What is the solve?
    By saudivip in forum Hosting Security and Technology
    Replies: 26
    Last Post: 02-12-2005, 03:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •