Brute force attacks and wordpress

By | June 15, 2016

For quite a while I’d noticed that occasionally my server would be behaving in a less than stellar manner.  Deciding to investigate further I noticed in my VPS control panel that memory usage was through the roof.  Looking further I found that there were literally hundreds of Apache threads running, this was consuming more than 2GB of memory.  I did initially look at Apache’s config, thinking I’d done something dumb, (it does happen 😉 !)

Doing what I should have done first, I looked in the access logs, there was a whole (literal) flood of requests for xmlrpc.php.  RPC is used by pingbacks (and a range of other things too) but also can be used to compromise a site… the main reason its attractive to attackers is that in one http request you can embed multiple RPC requests.

I’d already installed a plugin that disables RPC because I wasn’t keen on the idea of it, but alas that doesn’t do anything about the flood of brute force traffic…

As an initial measure I moved xmlrpc.php out of apache’s web root and just to get rid of any stale threads immediately, I restarted Apache and low and behold I get more than 2GB of memory back! better yet it stayed that way… obviously this is only a temporary solution as next update the file will be reinstated.

I decided to completely block access to this file using .htaccess

# protect flood brute force attacks of xmlrpc.php
<Files "xmlrpc.php">
Order Allow,Deny
Deny from all
</Files>

Its always as well to put a comment in your .htaccess for each thing you do, odds on a few years down the line you’ll have forgotten what on earth you were doing that for!…

While I was at it I decided to do something about wp-login.php – although its only one login attempt per request, its still a script kiddy target… While security by obscurity isn’t really security at all, at least if you use a plugin to change the login URL, it one less target for (probably hard coded) scripts.

Moral of the story, if you’re server is a bit roapy, don’t just assume its your service provide being a bit poor, and do investigate your logs!

Leave a Reply

Your email address will not be published. Required fields are marked *