Server Management – DDOS attack via XMLRPC in WordPress

One thing I am not is a server administrator. I can get by with most stuff to do with servers, with a lot of Googling, but if I then need to start fiddling with Apache configuration files and stuff like that – then I am out of my depth.

Recently I was tasked with working out why a website that I built kept going offline (several times a day – sometimes for 2 minutes, sometimes for 8 hours). I had a look and couldn’t see anything immediately wrong and this is when I normally suggest that the issue gets escalated to a server technician who is going to know what to look for, where to look and how to fix it. However…this server was not a managed server and had no level of support to speak of. All I had was the support guys who said useful stuff like “check the logs”, or “must be a problem with the website”. Cheers.

Hours and hours (probably around 20!) of endless Googling, looking at logs which I had no idea what they were telling me, faffing around with Apache and mySQL configurations, rebooting, restarting, seeing he problem get better, then seeing it get worse. Eventually after what seemed forever, I had a look at the logs for the other websites on the server. Bingo!

I saw the access log which had 130,000+ hits for today from the same IP address, hammering the xmlrpc.php file in WordPress. This seems to be one of the methods of choice for today’s WordPress hackers. The site which I had developed had the xmlrpc disabled completely, but this older site did not. So, I immediately turned it off using the excellent iThemes Security plugin, and then looked into ways of banning this IP address as it was still hitting the site and server relentlessly.

I noticed that the server (which was run by Plesk) did not have a firewall installed, so I enabled that and then created a custom rule to block this IP from all ports on the server. That should be the end of that with regards to this IP, if an attack starts from another IP, then I’m hoping that by disabling the xmlrpc completely, it won’t take the server down.  We’ll see.

Server load immediately returned to normal when this IP got blocked and the sites returned to their usual speedy selves. Scared of getting the death knell of my phone buzzing as I try to fall asleep tonight which always makes my heart leap as it usually means that a site has gone down. Crossing my fingers that this site will remain online for a long time.

Leave a Reply

Your email address will not be published. Required fields are marked *