Posts
Search
Contact
Cookies
About
RSS

Brute force attacks and wordpress

Added 15 Jun 2016, 5:56 p.m. edited 18 Jun 2023, 1:12 a.m.
For quite a while I'd noticed that occasionally my server would be behaving in a less than stellar manner. Deciding to investigate further I noticed in my VPS control panel that memory usage was through the roof. Looking further I found that there were literally hundreds of Apache threads running, this was consuming more than 2GB of memory. I did initially look at Apache's config, thinking I'd done something dumb, (it does happen ;) !) Doing what I should have done first, I looked in the access logs, there was a whole (literal) flood of requests for xmlrpc.php. RPC is used by pingbacks (and a range of other things too) but also can be used to compromise a site... the main reason its attractive to attackers is that in one http request you can embed multiple RPC requests. I'd already installed a plugin that disables RPC because I wasn't keen on the idea of it, but alas that doesn't do anything about the flood of brute force traffic... As an initial measure I moved xmlrpc.php out of apache's web root and just to get rid of any stale threads immediately, I restarted Apache and low and behold I get more than 2GB of memory back! better yet it stayed that way... obviously this is only a temporary solution as next update the file will be reinstated. I decided to completely block access to this file using .htaccess 
# protect flood brute force attacks of xmlrpc.php
<Files "xmlrpc.php">
Order Allow,Deny
Deny from all
</Files>
Its always as well to put a comment in your .htaccess for each thing you do, odds on a few years down the line you'll have forgotten what on earth you were doing that for!... While I was at it I decided to do something about wp-login.php - although its only one login attempt per request, its still a script kiddy target... While security by obscurity isn't really security at all, at least if you use a plugin to change the login URL, it one less target for (probably hard coded) scripts. Moral of the story, if you're server is a bit roapy, don't just assume its your service provide being a bit poor, and do investigate your logs!