By Tyler Jefford

On January 20th, 2016

Technology , Security , WordPress

Please note this was article written during WordPress release 4.6

Over the course of the last couple months, I’ve noticed a huge problem with all my Wordpress sites. They keep crashing! It just didn’t make sense, the css, html and javascript are all minified. Images are optimized and security settings have been updated in the form of All In One WP Security & Firewall plugin. Why does the site keep going down?

As it turns out, the public facing API Wordpress included by default was getting nailed with a brute force attack. It's not as noticeable if you don’t check your logs regularly, but the short story is that someone pointed a script to ping the API of public WordPress sites multiple times per second, causing the server to become overloaded with requests.

vi var/log/apache2/access.log

Terminal output of brute force attack

Hundreds of lines of POST requests to xmlrpc.php

Using DigitalOcean (referral link), it is pretty easy for anyone on the team to go in and do a power cycle when they see a site is down. But this would continue to happen multiple times per day. So that's not a solution, but a bandaid.

The best way for the team I was on was to just block access to the API. Which will work for you too, unless you absolutely need access to the API, then you will want to look into whitelisting your IP addresses. Restricting the API will remove access to this site via a mobile app, but will also increase security

Using .htaccess

In your .htaccess file add the following snippet.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>order deny,allowdeny from all</Files>

Using functions.php

In your theme folder, you can add a line in functions.php to block access to the API.

addfilter("xmlrpcenabled", "_returnfalse");

Using a plugin

There are a bunch of plugins that claim to block access to the API, but its really up to your discretion on installing them to test the functionality and if they pass muster. The WordPress Plugin Directory that may prevent access to the API.

Alternate Route

Instead of blocking access to the file, you can also just block an IP from Apache. This is not really fixing the problem, but maybe its helpful to know its an option. It’s a good way to stop the bleeding to explore a longer term solution.

In your server terminal you can use the following snippet to block an IP from your iptables.

iptables -I INPUT -s <IP ADDRESS> -j DROP
service iptables save

In conclusion, you should always check your logs first and look for odd patterns, such as a ton of traffic to a single file in a short period of time. Research the common security threats that are being used for the platform you are working with (in this case WordPress). Finally, learn the actions you can take based on these threats, so you can hopefully prevent a website from going down for these reasons.