Heavy xmlrp.php attack even after .htaccess "solution"

  • So for awhile now I’ve been getting hundreds of requests to my xmlrp file. The first solution my host offered was to tell me to block the IPs. My poor .httacces file became a 2 MB monster with 80784 lines of code.

    It worked and stopped all countries except the few I wanted to keep.

    That didn’t feel like the right solution and I did feel a slowdown of my site.

    So contacting my host again they told me to add this:

    <Files “xmlrpc.php”>
    Order Allow,Deny
    deny from all
    </Files>

    Again, no real change, maybe a slight slowdown of requests.

    Back to the host. Here is what they said:

    I have properly blocked the xmlrpc requests and confirmed https://danielalao.com/xmlrpc.php no longer loads the xmlrpc file.

    Great, so that doesn’t exist alas, I was still getting requests from bots, which I assume will still cause a strain on my site.

    I sent them the pages from Wordfence:

    https://s17.postimg.org/5ztxveklr/image.png
    https://s17.postimg.org/sfq5isekv/image.png
    https://s17.postimg.org/tgqe7wvkf/image.png
    https://s17.postimg.org/x2w7kk1xr/image.png
    https://s17.postimg.org/c265zmyfj/image.png

    I also downloaded a plugin called ‘Disable XML-RPC’, which did nothing as far as I can see.

    Then from the host:

    Unfortunately, short of blocking their IP addresses there is little that you can do to prevent them from scanning the website. These are bots that scan the entire internet for files that they can compromise. However, in your case, the file xmlrpc.php has been disabled, if you try to visit it it shows a 404 error, meaning that even though they are still trying to reach that file, there is no way they will be able to use it maliciously. The plugin that you are using also confirms this, as it shows they are all trying to access a non-existent page.

    He then asked if my site was still running slow, since it wasn’t I guess I’m suppose to ignore the constant requests ??

    Any recommendations I haven’t tried?

    I did see this code on a another thread but there was no follow up to see if it worked for anyone to stop requests: RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]

Viewing 5 replies - 1 through 5 (of 5 total)

  • If you’re blocking the requests with .htaccess, the “strain” on your site will be minimal assuming that they’re not hitting you 100 times a second. From your screenshots it looks like you’re getting probed once every few seconds to few minutes, which is very low.

    Don’t worry about it, it’s blocked, they can’t get in that way. Instead of locking the door to your house, you removed it and bricked up the hole.

    Should the number of requests increase to a point that your website *does* slow down, that’s a DDOS and you’ll need to use a service like Cloudflare to protect yourself.

    Thread Starter Daniela Lao

    (@daniela-lao)

    Ok, well that puts my mind at ease then. Thanks!

    Thread Starter Daniela Lao

    (@daniela-lao)

    Can an admin please delete this thread? I can’t seem to edit out any of the screenshots.

    I don’t think they can change anything. If you have control over those images, just delete them on postimg.org.

    Thread Starter Daniela Lao

    (@daniela-lao)

    Yeah, I never created an account to host those images so I don’t think if I made one now I would be able to adjust or remove them from postimg.

    I don’t see why an admin/mod can’t remove the images or delete this thread. Bots/hackers seem to be coming from this page and trying to access that xmlrpc.php. That that anything is there but I rather not have the info up for them to even see.

    Thanks for the help though!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Heavy xmlrp.php attack even after .htaccess "solution"’ is closed to new replies.