Protect Your WordPress Website From xmlrpc.php Attack

wordpress-security-xmlrpc
I have seen many WordPress websites getting xmlrpc.php attack. This is actually a type of brute force attack. Attackers try to login to your WordPress website using xmlrpc.php

xmlrpc.php attack is also known as XML-RPC Attack. If your website is under this attack you will see many entries of POST type to /xmlrpc.php

POST /xmlrpc.php

See below log of a WordPress website under xmlrpc.php attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
160.153.154.140 - - [23/Jul/2019:05:55:59 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter"
178.128.124.65 - - [23/Jul/2019:07:33:16 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter"
202.182.122.233 - - [23/Jul/2019:08:02:27 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.71.230.48 - - [23/Jul/2019:09:35:26 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter"
182.50.132.89 - - [23/Jul/2019:10:20:35 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter"
138.201.123.88 - - [23/Jul/2019:10:56:02 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Poster"
89.46.106.95 - - [23/Jul/2019:11:31:03 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "WordPress"
107.180.109.28 - - [23/Jul/2019:11:59:00 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Poster"
184.154.206.2 - - [23/Jul/2019:12:30:35 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter"
178.128.23.162 - - [24/Jul/2019:01:24:56 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
185.2.5.32 - - [24/Jul/2019:01:33:45 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
54.39.148.97 - - [24/Jul/2019:01:54:19 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
138.197.109.199 - - [24/Jul/2019:02:08:09 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
107.189.3.58 - - [24/Jul/2019:02:16:48 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
75.119.200.105 - - [24/Jul/2019:02:29:21 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
68.183.129.196 - - [24/Jul/2019:02:43:29 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.255.83.71 - - [24/Jul/2019:02:53:31 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
207.148.116.171 - - [24/Jul/2019:03:05:03 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
1.10.140.44 - - [24/Jul/2019:03:16:52 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
132.148.105.132 - - [24/Jul/2019:03:28:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
66.45.245.146 - - [24/Jul/2019:03:39:54 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
165.22.83.3 - - [24/Jul/2019:03:53:08 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
103.221.222.251 - - [24/Jul/2019:04:52:59 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
46.105.115.15 - - [24/Jul/2019:05:04:22 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

How to protect WordPress website from xmlrpc.php attack

Just copy paste below code in .htaccess file located in WordPress root directory.

1
2
3
4
5
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Hope this article was helpful to you.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *