Increased attacks on xmlrpc.php due to IP blocking?

  • robfaich

    (@robinfaichney)


    8 years, 7 months ago

    I run a handful of sites using WP. For a while now I’ve been noticing increasing numbers of brute force attacks on xmlrpc.php. About 3 weeks ago I switched on IP blocking (using Shield) on all the sites.

    The immediate effect was to reduce the bandwidth consumed by each attack, but since then the number of attacks on all sites has increased quite steeply, so the total bandwidth consumed is significantly higher than before, and the monthly running total increases almost every day.

    I’m now wondering whether blocking IPs has actually attracted attackers, for instance because they can’t now see that this is a recent WP version and so immune to that particular type of attack. I’ve noticed that occasionally an attack will continue for many hours, presumably because the hackbot isn’t designed to give up on repeatedly dropped connections. So is it likely that some other design flaw makes sites blocking IPs more attractive?

    It’s a shared hosting server running Windows 2012 with IIS.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Blocking the IPs doesn’t increase the attacks. I’ve noticed in increase on posts to XMLRPC.php on my server over the past week or so. I now redirect them back to the source to 127.0.0.1 with a rewrite rule in at the web server level.

    Thread Starter robfaich

    (@robinfaichney)

    Thanks sterndata but I’m finding it hard to believe that the sort of increase in attacks I’m seeing are not due to something about this setup.

    I said before that the running monthly bandwidth usage total increases nearly every day, but over the past 24 hours it rose by over 7%, and it’s well over 40% up on 10 days ago. Over that period bandwidth on my three busiest sites is 87%, 95% and 98% due to xmlrpc.php.

    I don’t have server level access and don’t believe I can use URL rewrite (there’s nothing in online support about it). Any other suggestions?

    Thread Starter robfaich

    (@robinfaichney)

    Just discovered I can use rewrite rules after all, looking into it.

    Meanwhile: anybody care to comment on desirability of redirecting xmlrpc.php requests back to 127.0.0.1 versus IP blocking?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Increased attacks on xmlrpc.php due to IP blocking?’ is closed to new replies.