Stop A Wordpress API Brute Force Attack

By Tyler Jefford • January 20th, 2016

Over the course of the last couple months, I’ve noticed a huge problem with all my Wordpress sites. They keep crashing! It just didn’t make sense, The css, html and js are all minified, images are optimized and security measures have been taken in the form of All In One WP Security & Firewall. Why does the site keep going down?

Turns out, the public facing API Wordpress has was getting nailed with brute force attacks. It's not as noticeable if you don’t check your logs regularly. But the short story is that a bot is pinging the API multiple times per second, causing the server to become overloaded.

vi var/log/apache2/access.log

Terminal output of brute force attack

Hundreds of lines of POST requests to xmlrpc.php

With DigitalOcean, it pretty easy for anyone on the team to go in and do a power cycle when they see a site is down. But this would happen multiple times per day. So that's not a solution, but a bandaid.

The best way for us, was to just block access to the API. Which will work for you too, unless you absolutely need access to the API, then you will want to look into whitelisting your IP addresses.

Using .htaccess

In your .htaccess file add the following snippet.

# Block WordPress xmlrpc.php requests<Files xmlrpc.php>order deny,allowdeny from all</Files>

Using functions.php

In your theme folder, you can also add a line in functions.php to block access to the API.

addfilter("xmlrpcenabled", "_returnfalse");

Using a plugin

There are a bunch of plugins that claim to block access to the API, but its really up to your discretion on installing them to test. Plugin Directory that may prevent access to the API.

Alternate Route

Instead of blocking access to the file, you can also just block an IP from accessing your server. This is not really fixing the problem, but maybe its helpful to know its an option.

iptables -I INPUT -s <IP ADDRESS> -j DROP

service iptables save

In conclusion, you should always check your logs first and look for odd patterns, such as a ton of pings to a file in a short period of time. Research the common security threats that are being used for the platform you are working with (in this case Wordpress). Finally, learn the actions you can take based on these threats, so you can hopefully prevent a website from going down for these reasons.