Resolving XMLRPC.PHP DDOS attack with htaccess redirect?

  • Hello all,

    I have a problem with what seems to be a botnet hitting my website’s XMLRPC.PHP file several times per second periodically throughout the day. Littered in my log file, there are always thousands of lines that look like this:

    54.221.216.85 – – [19/Aug/2013:11:06:19 -0500] “POST /xmlrpc.php HTTP/1.1” 404 12165 “-” “-“

    From what I understand, hackers have recently used the pingback feature on legitimate WordPress websites to conduct DDOS attacks. This also affects my website; during these attacks, its response time becomes extremely high. My Web host, HostGator, has also disabled my account twice because of high CPU usage. However, the only solution they’ve offered is to insert a “deny from all” line in my htaccess file, which generates a 403 or 404 error whenever someone attempts to hit xmlrpc.php.

    Although this might prevent my website from being used in a pingback DDOS attack, it’s not an acceptable solution as sending out several 403 or 404 error pages per second still results in abnormally high CPU usage and data transfer. Deleting XMLRPC.PHP produced a similar result.

    So, I got the idea of adding the following to my htaccess file:

    RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]

    When I test the fix in my browser, I do get a blank error page without load on my server. Is this an acceptable fix for my problem, or might there be some negative side effects I haven’t anticipated?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter goldenguineas

    (@goldenguineas)

    I know I’m not the only WordPress webmaster dealing with this problem. Can anyone tell me if this is a viable solution?

    I found your solution simple and helpful, got me out of a jam, so thank you.

    I found a similar method here: https://antti.vilpponen.net/2013/08/26/how-to-mitigate-a-wordpress-xmlrpc-php-attack/ Not sure what’s best, but I used that one.

    nickaster

    (@nickaster)

    Interesting. I just tried the htaccess method and it seems to have helped a lot. What does that Rewrite do, exactly? Just redirects to some bunk IP?

    Thread Starter goldenguineas

    (@goldenguineas)

    That’s what it’s supposed to do — the attacker gets redirected to an invalid IP without causing a PHP load on your server. It seemed to work, but since a networking expert was never willing to respond to this thread I didn’t implement it on my server permanently.

    toastmasterflash

    (@toastmasterflash)

    this is happening to me also. After my host warned me it looks like this has been happening for many months and I was not seeing it in my logs.

    I just put the block on xmlrpc.php and will watch my stats for the next few weeks. I also banned the IPs that were doing it, about 10 of them.

    I have a botnet attacking my site. I noticed that all of the requests have a particular agent:

    "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

    So I redirect them in .htaccess all back to themselves:

    # Block attackers by agents
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp\.WinHttpRequest\.5.*$
RewriteRule .* https://%{REMOTE_ADDR}/ [R,L]
</IfModule>
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Resolving XMLRPC.PHP DDOS attack with htaccess redirect?’ is closed to new replies.