For quite a while I’d noticed that occasionally my server would be behaving in a less than stellar manner. Deciding to investigate further I noticed in my VPS control panel that memory usage was through the roof. Looking further I found that there were literally hundreds of Apache threads running, this was consuming more than 2GB of memory. I did initially look at Apache’s config, thinking I’d done something dumb, (it does happen 😉 !)
Doing what I should have done first, I looked in the access logs, there was a whole (literal) flood of requests for xmlrpc.php. RPC is used by pingbacks (and a range of other things too) but also can be used to compromise a site… the main reason its attractive to attackers is that in one http request you can embed multiple RPC requests.
I’d already installed a plugin that disables RPC because I wasn’t keen on the idea of it, but alas that doesn’t do anything about the flood of brute force traffic…
As an initial measure I moved xmlrpc.php out of apache’s web root and just to get rid of any stale threads immediately, I restarted Apache and low and behold I get more than 2GB of memory back! better yet it stayed that way… obviously this is only a temporary solution as next update the file will be reinstated.
I decided to completely block access to this file using .htaccess
# protect flood brute force attacks of xmlrpc.php <Files "xmlrpc.php"> Order Allow,Deny Deny from all </Files>
Its always as well to put a comment in your .htaccess for each thing you do, odds on a few years down the line you’ll have forgotten what on earth you were doing that for!…
While I was at it I decided to do something about wp-login.php – although its only one login attempt per request, its still a script kiddy target… While security by obscurity isn’t really security at all, at least if you use a plugin to change the login URL, it one less target for (probably hard coded) scripts.
Moral of the story, if you’re server is a bit roapy, don’t just assume its your service provide being a bit poor, and do investigate your logs!